APF (Advanced Policy Firewall) is an easy to install and configure firewall package that many users choose to run on their WHM/Cpanel servers for security. The installation and configuration need to be done via an ssh connection as root. Here are the steps involved:
Log in as root, then run the following commands, one at a time.
(If you receive an error message on any of the commands, check your typing or make note of the error and either search Google or your favorite search engine for the error, or open a ticket with support.)
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar xzvf apf-current.tar.gz
cd apf-*
./install.sh
APF will notify you once the installation is complete. Once complete you will need to configure which ports the firewall allows. Using your favorite editor, edit the file. I’m using nano because it’s the simplest for new users.
nano /etc/apf/conf.apf
You will need to look for the portion of the file that contains “Common ingress (inbound) ports” and edit it so that it reflects these values:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=” 20,21,22,25,26,53,80,110,143,443,465,993,995,2077,2078,2082,
2083,2086,2087,2095,2096,3306,6666″
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”21,53,465,873,2077,2078″
# Common ICMP (inbound) types
# ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any
IG_ICMP_TYPES=”3,5,11,0,30,8″
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,26,37,43,53,80,113,465,873,3306″
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53,465,873″
# Common ICMP (outbound) types
# ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any
EG_ICMP_TYPES=”all”
Once this is done you can start the APF service by issuing the command:
/usr/local/sbin/apf -s
At this point you will need to test all of your ports functionality. If everything is fine, you’ll need to edit your /etc/apf/conf.apf file one more time. Find
DEVM=”1″
and change it to
DEVM=”0″
This will prevent APF from clearing itself every 5 minutes. While that is useful for testing, you don’t want your rules disappearing regularly.