Advanced Policy Firewall (for cPanel)
Posted on August 2, 2010
More retro software that has been with us for years - APF - Advanced Policy Firewall. A brilliantly robust and fool proof Linux script that acts as a wrapper for iptables.
Here's how I configure it for all the WHM/cPanel boxes I commission, although you can configure it for non-cPanel servers, just adjust your ports accordingly.
- wget http://www.rfxn.com/downloads/apf-current.tar.gz
- tar zxpfv apf-current.tar.gz
- cd apf-9.7-1/
- sh install.sh
- nano /etc/apf/conf.apf
These are the main settings I change in the configuration file.
- # !!! Do not leave set to (1) !!!
- # When set to enabled; 5 minute cronjob is set to stop the firewall. Set
- # this off (0) when firewall is determined to be operating as desired.
- DEVEL_MODE="0"
-
- # Common ingress (inbound) TCP ports for cPanel & WHM
- IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2077,2078,2082,
- 2083,2086,2087,2095,2096,3306,6666"
-
- # Common ingress (inbound) UDP ports for cPanel & WHM
- IG_UDP_CPORTS="21,53,465,873,2077,2078"
-
- # Common ICMP (inbound) types
- # 'internals/icmp.types' for type definition; 'all' is wildcard for any
- IG_ICMP_TYPES="3,5,11,0,30,8"
-
- # Outbound (egress) filtering - Always a good idea.
- EGF="1"
-
- # Common egress (outbound) TCP ports for cPanel & WHM
- EG_TCP_CPORTS="21,25,26,37,43,53,80,113,465,873,3306"
-
- # Common egress (outbound) UDP ports for cPanel & WHM
- EG_UDP_CPORTS="20,21,53,465,873"
-
- # Common ICMP (outbound) types
- # 'internals/icmp.types' for type definition; 'all' is wildcard for any
- EG_ICMP_TYPES="all"
One final setting I had to change was the BLK_RESNET option
- Block all ipv4 address space marked reserved for future use (unassigned),
- # such networks have no business talking on the Internet. However they may at
- # some point become live address space. The USE_RD option further in this file
- # allows for dynamic updating of this list on every full restart of APF. Refer
- # to the 'internals/reserved.networks' file for listing of address space.
- BLK_RESNET="0"
Then, finally, start it /etc/init.d/apf start
You can confirm it is working with iptables -L
These are the Inbound tcp/udp and Outbound tcp/udp ports in question
Inbound TCP Ports
- 20 FTP
- 21 FTP
- 22 SSH
- 25 SMTP
- 26 SMTP
- 53 DNS
- 80 HTTP
- 110 POP
- 3143 IMAP
- 4443 HTTPS
- 465 SMTP (TLS/SSL)
- 993 IMAP4 (SSL)
- 995 POP3 (SSL)
- 2082 CPANEL
- 2083 CPANEL (SSL)
- 2086 WHM (Web Host Manager)
- 2087 WHM (SSL)
- 2095 WEBMAIL
- 2096 WEBMAIL (SSL)
Inbound UDP Ports
- 21 FTP
- 53 DNS
- 465 SMTP (TLS/SSL)
Outbound TCP Ports
- 20 FTP
- 21 FTP
- 25 SMTP
- 26 SMTP
- 37 RDATE
- 43 WHOIS
- 53 DNS
- 80 HTTP
- 113 IDENT
- 465 SMTP (TLS/SSL)
- 873 RSYNC
- 2089 CPANEL LICENSE
Outbound UDP Ports
- 21 FTP
- 53 DNS
- 465 SMTP (TLS/SSL)
- 873 RSYNC
** If you want MySQL remote access and have modified the my.cnf according make sure you add 3306 into EG_TCP_CPORTS and IG_TCP_CPORTS
** Its best practise to add your own IPs to the white list - /etc/apf/allow_hosts.rules
Now you've got a software firewall monitoring your server's incoming and outgoing requests.
Related posts
- Extending Advanced Policy Firewall with Brute Force Detection
In my previous article I discussed setting up the Advanced Policy Firewall on your servers.... - CentOS / cPanel Firewall Setup
I almost like CentOS now. That doesn't mean I can't get used to this daft... - Upgrading to MySQL 5.1 in cPanel/WHM
Upgrading to MySQL 5.1 in cPanel is currently not the easiest thing in the world.... - Installing mytop on cpanel
MyTop is one of the best MySQL monitoring tools available, written by a MySQL guru,... - [Snippet] Stupid Simple cPanel Install
Open a clean server, Go have your lunch. Maybe lunch +VAT depending on the speed...
About Kieran
