How to properly install APF (Advanced Policy Firewall) on CentOS or Ubuntu

This guide will show you how to properly install APF firewall, one of the better known Linux firewalls available, on different Linux distros like Redhut/CentOS and Debian/Ubuntu. Configuration part doesn't differ from distro to another distro, so reading the official README file or googling will suffice. However, for installation part if the most instructions available online will prove correct for RedHut/CentOS, then for Debian/Ubuntu current installation script won't work and, unfortunately, you will not find much information on how to fix it.

What is APF (Advanced Policy Firewall)?

APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: http://www.rfxn.com/projects/advanced-policy-firewall

Requirements:
- Root SSH access to your server

CentOS

Login to your server through SSH and su to the root user.

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.5-1/ or whatever the latest version is.

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

Installing APF 0.9.5-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Other Details:
Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
Listening UDP ports: 53,55880
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

That's it for CentOS, you are done with installation, now make sure to configure your APF well.

Ubuntu

As for Ubuntu, installation is little bit more complicated, since running the official install.sh script will result in something like:


sh install.sh
Installing APF 9.7-2: /etc/apf/vnet/vnetgen: 28: source: not found
[: 32: unexpected operator
vnetgen.def not found, aborting.
Completed.

Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf

Other Details:
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 34: unexpected operator
[: 45: unexpected operator
[: 45: unexpected operator
[: 45: unexpected operator
[: 45: unexpected operator
[: 45: unexpected operator
[: 45: unexpected operator
[: 45: unexpected operator
[: 45: unexpected operator
[: 45: unexpected operator
[: 45: unexpected operator
Listening TCP ports:
Listening UDP ports:
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

So don't run installation script if you are on Ubuntu. If you already did, then cleaning up your system from broken APF installation in the following way:


rm -rf /etc/apf
rm -f /etc/rc.d/init.d/apf
rm -f /etc/logrotate.d/apf
rm -f /etc/cron.daily/apf
rm -f /etc/cron.d/refresh.apf
rm -f /usr/local/sbin/apf
rm -f /var/log/apf_log*

Check if there are “echo /etc/apf/apf -s >> /dev/null 2>&1” statement in the /etc/rc.local file or not, if so, delete it.

Now, you could install APF from the official repository by running:


sudo apt-get install apf-firewall

I personally prefer to install APF from the original source, since (1) Ubuntu provides pretty much outdated version and also (1) changes all the script paths, which makes it challenging to integrate APF with such an excellent script as BFD (Brute Force Detection) at alter stages. However, if you've decide to go with the official Ubuntu version, then take into attention you might run onto this problem if your kernel version is 3.x: https://bugs.launchpad.net/ubuntu/+source/apf-firewall/+bug/878729

For those who would like to install APF from the source there is another solution. Download adapted for Ubuntu version of APF: http://akyl.net/sites/default/files/apf-0.9.6-3-ubuntu.tar_.gz (Underscore sign has been added for security reasons)

Extract it:


mv apf-0.9.6-3-ubuntu.tar_.gz apf-0.9.6-3-ubuntu.tar.gz
tar -xvzf apf-0.9.6-3-ubuntu.tar.gz

Change to installation directory:


cd apf-0.9.6-3-ubuntu

Now, because Debian/Ubuntu does not have /etc/rc.d/init.d directory, but just /etc/init.d/ we'd need to use symbolic links:


mkdir /etc/rc.d
ln -s /etc/init.d /etc/rc.d/init.d

and finally run the script:


./install.sh

Proceed with configuration normally.

Add new comment

Filtered HTML

  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <pre>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
To