APF fully automated

Maniak

Verified User
Joined
Aug 25, 2004
Messages
222
Location
Switzerland
I made it to setup it within future. It was tested on CentOS , but since nothing is special, it should work for other distribution.

Use at your own risks!!

3 commands to run.

# cd
# wget http://popowski.free.fr/directadmin/firewall.sh
# sh firewall.sh

This system open incomings ports :
21,22,37,53,80,110,143,443,465,993,995,2222,6000_7000

This system open outbound ports :
21,25,43,80,110,143,443,465,993,995,2222

You can after install add your own ports selection to the file /etc/apf/conf.apf. The original file conf.apf can be found at /etc/apf/conf.apf.bak (for comments).

Enjoy it.
 
Last edited:
Why not use default linux firewall?

As for me, I'm using FreeBSD packet filter (PF). It's wonderful!
 
paix said:
Why not use default linux firewall?

As for me, I'm using FreeBSD packet filter (PF). It's wonderful!

With APF, you're still using iptables.

What's APF
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike.
 
Maybe I'm doing something wrong, but I get a error during running the script:

cut: the delimiter must be a single character

the system I tried on is:
CentOS release 3.8
 
Hi,

Oddis said:
Maybe I'm doing something wrong, but I get a error during running the script:

cut: the delimiter must be a single character

the system I tried on is:
CentOS release 3.8

I have uploaded the script somewhere, because the quote of vBulletin remove double space, causing this problem.

Try again !
 
Installed again and it works perfect.
Thanks a lot Maniak
 
Hello,

I just noticed a mistake, I forgot to open port 25 for incoming emails.

The script has been updated. If you have already installed you can add yourself port 25 to IG_TCP_CPORTS and IG_UDP_CPORTS in file /etc/apf/conf.apf

or run this :

# perl -i -pe 's/IG_TCP_CPORTS="21,22,37,53,80,110,143,443,465,993,995,2222,6000_7000"/IG_TCP_CPORTS="21,22,25,37,53,80,110,143,443,465,993,995,2222,6000_7000"/' /etc/apf/conf.apf
# perl -i -pe 's/IG_UDP_CPORTS="20,21,22,53"/IG_UDP_CPORTS="20,21,22,25,53"/' /etc/apf/conf.apf

:)
 
It doesn't work with kernel >2.6.17 :) Use ELS to install APF, or patch APF after install with:

Code:
# perl -pi -e 's/ipt_state 1/xt_state/' /etc/apf/internals/functions.apf
# perl -pi -e 's/ipt_multiport 1/xt_multiport/' /etc/apf/internals/functions.apf
 
It doesn't work with kernel >2.6.17 :) Use ELS to install APF, or patch APF after install with:

Code:
# perl -pi -e 's/ipt_state 1/xt_state/' /etc/apf/internals/functions.apf
# perl -pi -e 's/ipt_multiport 1/xt_multiport/' /etc/apf/internals/functions.apf

It does !

#---------------------------------------------------------------
# Check that everything went fine
#---------------------------------------------------------------

if [ "`apf -r`" = "" ]; then
clear;
echo "You are done with your firewall setup.";
exit;
else
echo "There is a problem. We will try to solve it.";
perl -i -pe 's/ml ipt_state 1/ml xt_state/' /etc/apf/internals/functions.apf
perl -i -pe 's/ml ipt_multiport 1/ml xt_multiport/' /etc/apf/internals/functions.apf

if [ "`apf -r`" != "" ]; then
clear;
echo "No way to solve this problem. Please check yourself if iptables is properly working on your system";
exit;
fi
fi
 
I have a problems ! I installed APF with your tutorials and source above ! But i can not send and receive email !
This system open incomings ports :
21,22,37,53,80,110,143,443,465,993,995,2222,6000_7000

This system open outbound ports :
21,25,43,80,110,143,443,465,993,995,2222
Help me ???
 
Thanks, will test today :)

tested, works fine ;)

thanks again.
 
Last edited:
I have a problems ! I installed APF with your tutorials and source above ! But i can not send and receive email !

Help me ???

Hi,

change :

This system open incomings ports :
21,22,37,53,80,110,143,443,465,993,995,2222,6000_7000

to

This system open incomings ports :
21,22,25,37,53,80,110,143,443,465,993,995,2222,6000_7000

and restart apf (system apf restart or apf -r)
 
You probably want to open port 587 as well; it's the email authenticated sender port.

Jeff
 
How can we make it work on CentOS VPS?
We tried but it's giving error


Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/

Other Details:
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
cp: cannot stat `/etc/apf.bk.last/vnet/*.rules': No such file or directory
Imported options from 0.9.6-1 to 0.9.6-1.
Note: Please review /etc/apf/conf.apf for consistency, install default backed up to /etc/apf/conf.apf.orig
We set the right permissions...
We set your firewall to start at boot time.
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
There is a problem. We will try to solve it.
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
No way to solve this problem. Please check yourself if iptables is properly working on your system
[root@ ~]#
Thanks
 
Did you do the DA install yourself?

Look here and search for Special notice for VPS/VDS installs.

Jeff
 
I changed eth0 to venet0 in conf.apf
When itry restarting apf got following
# apf -s
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
 
Back
Top