Hello, friends. In this post, you will learn how to install APF on Debian 11. But first, let’s talk a brief about it.
What is APF?
According to the project website:
APF is an iptables(netfilter) based firewall system designed around
The essential needs of today’s Internet deployed servers and the unique
needs of custom deployed Linux installations.
One of the main features of APF is that it is easy to configure. This is important so that we can use it without hassle.
Some features of AFP are:
- Detailed and well commented configuration file
- Granular inbound and outbound network filtering
- User id based outbound network filtering
- Application based network filtering
So let’s go for it. Let’s install AFP and apply some initial settings.
The first thing we have to do is to open a terminal and update the distribution completely.
sudo apt update sudo apt upgrade
As I always say, updating the system allows having the latest security patches installed and so the system will be a little more stable and secure.
Then, thanks to the
wget command, download the latest stable version of APF.
Thanks to the
tar command, unzip the downloaded file.
tar -zxf apf-current.tar.gz
After doing this, access the folder that has been generated.
Inside it, you will see a file called
install.sh which is a script that performs all the necessary installation.
We have to run this file with root permissions.
This will start the whole installation process. When finished, you will be able to see in the output screen the paths of the most important files of the application configuration.
Configuring APF in Debian 11
The APF configuration file is
/etc/apf/conf.apf. There we can make the changes we need and open or close ports.
So, before editing it, make a backup of it.
sudo cp /etc/apf/conf.apf /etc/apf/conf.apf.bak
Now edit it.
sudo nano /etc/apf/conf.apf
While we are testing the application, it is convenient that the value of
But when we are ready for production, the value should be
Next we will define the network interface that has output to the internet. For our post, this interface is
eth0 and therefore will be untrusted.
Since it is untrusted, APF will monitor it constantly.
By default, for AFP, all ports are blocked unless otherwise defined in the configuration file. To complete this, look for the
IG_TCP_CPORTS directive and set the ports inside. For example,
You can also define UDP ports:
Or ICMP ports:
Save the changes and close the text editor.
To deny or allow host access to the server, we have the
/etc/apf/allow_host.rules files where we can easily set IP addresses or address ranges.
To start APF just run
sudo apf -s
Then, to stop it
sudo apf -f
Or check the status
sudo apf -st
Or restart it to apply changes in the configurations
sudo apf -r
Now it’s up to you to test it and keep using it. For more information, see the documentation.
AFP is an important tool for the security of your computer. That is why it is necessary to know it.