Hello, friends. In this post, you will learn how to install APF on Debian 11. But first, let’s talk a brief about it.
What is APF?
According to the project website:
APF is an iptables(netfilter) based firewall system designed around
The essential needs of today’s Internet deployed servers and the unique
needs of custom deployed Linux installations.
One of the main features of APF is that it is easy to configure. This is important so that we can use it without hassle.
Some features of AFP are:
- Detailed and well commented configuration file
- Granular inbound and outbound network filtering
- User id based outbound network filtering
- Application based network filtering
So let’s go for it. Let’s install AFP and apply some initial settings.
The first thing we have to do is to open a terminal and update the distribution completely.
sudo apt update
sudo apt upgrade
As I always say, updating the system allows having the latest security patches installed and so the system will be a little more stable and secure.
Then, thanks to the wget
command, download the latest stable version of APF.
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
Thanks to the tar
command, unzip the downloaded file.
tar -zxf apf-current.tar.gz
After doing this, access the folder that has been generated.
cd apf-1.*
Inside it, you will see a file called install.sh
which is a script that performs all the necessary installation.
We have to run this file with root permissions.
sudo ./install.sh
This will start the whole installation process. When finished, you will be able to see in the output screen the paths of the most important files of the application configuration.
Configuring APF in Debian 11
The APF configuration file is /etc/apf/conf.apf
. There we can make the changes we need and open or close ports.
So, before editing it, make a backup of it.
sudo cp /etc/apf/conf.apf /etc/apf/conf.apf.bak
Now edit it.
sudo nano /etc/apf/conf.apf
While we are testing the application, it is convenient that the value of DEVEL_MODE
is 1
.
DEVEL_MODE="1"
But when we are ready for production, the value should be 0
.
Next we will define the network interface that has output to the internet. For our post, this interface is eth0
and therefore will be untrusted.
IFACE_IN="eth0"
IFACE_OUT="eth0"
Since it is untrusted, APF will monitor it constantly.
By default, for AFP, all ports are blocked unless otherwise defined in the configuration file. To complete this, look for the IG_TCP_CPORTS
directive and set the ports inside. For example,
IG_TCP_CPORTS="21,25,80,110,443,465"
You can also define UDP ports:
IG_UDP_CPORTS="801,456"
Or ICMP ports:
IG_ICMP_TYPES="3,5,11"
Save the changes and close the text editor.
To deny or allow host access to the server, we have the /etc/apf/deny_host.rules
and /etc/apf/allow_host.rules
files where we can easily set IP addresses or address ranges.
To start APF just run
sudo apf -s
Then, to stop it
sudo apf -f
Or check the status
sudo apf -st
Or restart it to apply changes in the configurations
sudo apf -r
Now it’s up to you to test it and keep using it. For more information, see the documentation.
Enjoy it.
Conclusion
AFP is an important tool for the security of your computer. That is why it is necessary to know it.