Sometimes, you just don’t want to use the firewall software that are available inside Ubuntu’s repositories. Maybe those aren’t sophisticated enough, and you’re a sophisticated person. Maybe you need an elaborated firewall. Maybe you just want to try out a new firewall. I like to introduce to you a very good firewall which is known as APF. To my knowledge, many websites that are hosted by many servers rely on APF firewall. APF firewall is very easy to configure since its configuration file has detail explanation. Installing it is even easier! I believe within 10 minutes or less, you can get APF firewall running on your Ubuntu system!
In this blog post, I won’t go into detail of how to configure your APF firewall since each network is unique and each server is unique. Each server uses different software, therefore different custom ports are required to be opened. Instead, I will focus on installing APF firewall, highlighting the important configuration options inside APF’s configuration file, and showing you how to get APF firewall starting on boot/reboot for your Ubuntu system.
You can download APF firewall at here. After downloading it, go to the location that you have saved the download of APF, and execute the command [tar xvzf yourdownload-package] — make sure you replace yourdownload-package with the APF’s package that you had downloaded earlier. Change into the APF directory that you had extracted when you executed the command above. Inside there, execute the command [sh install.sh] without using the square brackets.
Now you can begin to configure your APF firewall. Just execute the command [vim.tiny /etc/apf/conf.apf]. In conf.apf, you need to read everything so you can change the settings to your liking. Since each network and server/computer is unique, therefore you must rely on the understanding of your network’s structure in details. Still, I’m going to highlight some important configuration settings you need to change.
First, if you are ssh into your Ubuntu box remotely, do not change the line that says DEVEL_MODE=”1″ to DEVEL_MODE=”0″ until you have satisfied with the changes you have made to file conf.apf. Also, don’t leave DEVEL_MODE=”1″ forever there, because it’s only a testing mode which prevents you from being locked out of your Ubuntu server/box in case you have made a wrong modification to the file conf.apf.
Second, on the lines that say IFACE_IN=”eth0″ and IFACE_OUT=”eth0″, make sure you make the right change if you’re using wireless adapter or virtualization network setting. If you’re using normal Ethernet connection for your Ubuntu server/box, then you can just leave these two lines alone. Still unsure? You can do ifconfig inside shell/terminal to pull up all network information.
Third, the line that says IG_TCP_CPORTS= is very important! Whatever ports you add to this line will allow your Ubuntu server/box to accept incoming connection. For an example, if you want to make an ssh connection to your Ubuntu server on port 2222 instead of port 22, then you need to remove port 22 and add port 2222 on this line.
Fourth, the line says EFG=”0″, make sure you change this to EFG=”1″ — this line tells APF to filter outgoing connection. Unless you don’t care about outgoing connection, you must make the change.
Fifth, the line says EG_TCP_CPORTS= is where you want to prescribe which ports are available for outgoing connection on your Ubuntu server/box. For an example, if you want your Ubuntu server/box to be able to download software through FTP connection, then you must add port 21 to this line. Another example, if you want your Ubuntu server/box to be able to connect your browser through a standard port 80 so you can browse the Internet, then you must add port 80 to this line.
Everything else, you need to read more so you can customize those other settings to you liking.
After you have done with the modification of conf.apf file, please save it! It’s now time for you to start your APF firewall and test it to see if your APF firewall is actually blocking and allowing certain ports.
To run or start APF firewall, you need to do [/usr/local/sbin/apf -s]. To restart APF, just do [/usr/local/sbin/apf -r]. When I say you need to do, it means you type whatever inside the square brackets onto your terminal.
Wondering if APF is actually running? Just do [iptables -L]. If you’re not familiar with IPFilter, then just open up conf.apf, remove a port you want to use, and try to make the connection to see if your software is blocked or not. Example, remove port 22 for your ssh connection, and then try to ssh into your Ubuntu server/box to see APF is actually blocking you from making a connection on port 22. Doing the opposite to see if you can ssh into your Ubuntu server/box.
Here comes another important tip! Usually, this isn’t necessary if you’re running CentOS or Fedora or RedHat, but on Ubuntu, you must edit the file /etc/rc.local by doing [vim.tiny /etc/rc.local], and add the line [sh -c “/etc/apf/apf -s” &] above the line that says [exit 0]. Don’t use the square brackets! Save the file /etc/rc.local and then reboot. So what is this procedure for? It’s necessary for Ubuntu to start APF firewall on reboot or on fresh boot. Usually, other Linux OS would use [chkconfig –add apf] and [chkconfig –level 345 apf on], but since Ubuntu doesn’t have chkconfig installed by default, therefore you must modify your /etc/rc.local with the line I mentioned above. When restarting your Ubuntu server/box, you may see a bunch of gibberish code spitting onto your shell, don’t be alarmed! Just wait till your shell is stop spitting out code completely, and you can hit the enter key on your keyboard to see the login prompt! Those gibberish code which spat onto your shell/terminal’s screen notified you that Ubuntu started APF. Log inside as root and do [iptables -L] to confirm APF indeed is running!