How to install APF on Debian 11

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"

Hello, friends. In this post, you will learn how to install APF on Debian 11. But first, let’s talk a brief about it.

What is APF?

According to the project website:

APF is an iptables(netfilter) based firewall system designed around
The essential needs of today’s Internet deployed servers and the unique
needs of custom deployed Linux installations.

One of the main features of APF is that it is easy to configure. This is important so that we can use it without hassle.

Some features of AFP are:

  • Detailed and well commented configuration file
  • Granular inbound and outbound network filtering
  • User id based outbound network filtering
  • Application based network filtering

So let’s go for it. Let’s install AFP and apply some initial settings.

The first thing we have to do is to open a terminal and update the distribution completely.

sudo apt update
sudo apt upgrade

As I always say, updating the system allows having the latest security patches installed and so the system will be a little more stable and secure.

Then, thanks to the wget command, download the latest stable version of APF.


Thanks to the tar command, unzip the downloaded file.

tar -zxf apf-current.tar.gz

After doing this, access the folder that has been generated.

cd apf-1.*

Inside it, you will see a file called which is a script that performs all the necessary installation.

We have to run this file with root permissions.

sudo ./
1.- AFP on Debian 11
1.- AFP on Debian 11

This will start the whole installation process. When finished, you will be able to see in the output screen the paths of the most important files of the application configuration.

Configuring APF in Debian 11

The APF configuration file is /etc/apf/conf.apf. There we can make the changes we need and open or close ports.

So, before editing it, make a backup of it.

sudo cp /etc/apf/conf.apf /etc/apf/conf.apf.bak

Now edit it.

sudo nano /etc/apf/conf.apf

While we are testing the application, it is convenient that the value of DEVEL_MODE is 1.


But when we are ready for production, the value should be 0.

Next we will define the network interface that has output to the internet. For our post, this interface is eth0 and therefore will be untrusted.


Since it is untrusted, APF will monitor it constantly.

By default, for AFP, all ports are blocked unless otherwise defined in the configuration file. To complete this, look for the IG_TCP_CPORTS directive and set the ports inside. For example,


You can also define UDP ports:


Or ICMP ports:


Save the changes and close the text editor.

To deny or allow host access to the server, we have the /etc/apf/deny_host.rules and /etc/apf/allow_host.rules files where we can easily set IP addresses or address ranges.

To start APF just run

sudo apf -s

Then, to stop it

sudo apf -f

Or check the status

sudo apf -st

Or restart it to apply changes in the configurations

sudo apf -r

Now it’s up to you to test it and keep using it. For more information, see the documentation.

Enjoy it.


AFP is an important tool for the security of your computer. That is why it is necessary to know it.

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"
I am Angelo. A systems engineer passionate about Linux and all open-source software. Although here I'm just another member of the family.


Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook