Advanced Policy Firewall (for cPanel)

More retro software that has been with us for years – APF – Advanced Policy Firewall. A brilliantly robust and fool proof Linux script that acts as a wrapper for iptables.

Here’s how I configure it for all the WHM/cPanel boxes I commission, although you can configure it for non-cPanel servers, just adjust your ports accordingly.[codesyntax lang=”bash”]
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar zxpfv apf-current.tar.gz
cd apf-9.7-1/
sh install.sh
nano /etc/apf/conf.apf

These are the main settings I change in the configuration file.

[codesyntax lang=”bash”]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.
DEVEL_MODE=”0″

# Common ingress (inbound) TCP ports for cPanel & WHM
IG_TCP_CPORTS=” 20,21,22,25,26,53,80,110,143,443,465,993,995,2077,2078,2082,
2083,2086,2087,2095,2096,3306,6666″

# Common ingress (inbound) UDP ports for cPanel & WHM
IG_UDP_CPORTS=”21,53,465,873,2077,2078″

# Common ICMP (inbound) types
# ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any
IG_ICMP_TYPES=”3,5,11,0,30,8″

# Outbound (egress) filtering – Always a good idea.
EGF=”1″

# Common egress (outbound) TCP ports for cPanel & WHM
EG_TCP_CPORTS=”21,25,26,37,43,53,80,113,465,873,3306″

# Common egress (outbound) UDP ports for cPanel & WHM
EG_UDP_CPORTS=”20,21,53,465,873″

# Common ICMP (outbound) types
# ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any
EG_ICMP_TYPES=”all”

One final setting I had to change was the BLK_RESNET option

[codesyntax lang=”bash”]
Block all ipv4 address space marked reserved for future use (unassigned),
# such networks have no business talking on the Internet. However they may at
# some point become live address space. The USE_RD option further in this file
# allows for dynamic updating of this list on every full restart of APF. Refer
# to the ‘internals/reserved.networks’ file for listing of address space.
BLK_RESNET=”0″

Then, finally, start it /etc/init.d/apf start

You can confirm it is working with iptables -L

These are the Inbound tcp/udp and Outbound tcp/udp ports in question

Inbound TCP Ports

  • 20 FTP
  • 21 FTP
  • 22 SSH
  • 25 SMTP
  • 26 SMTP
  • 53 DNS
  • 80 HTTP
  • 110 POP
  • 3143 IMAP
  • 4443 HTTPS
  • 465 SMTP (TLS/SSL)
  • 993 IMAP4 (SSL)
  • 995 POP3 (SSL)
  • 2082 CPANEL
  • 2083 CPANEL (SSL)
  • 2086 WHM (Web Host Manager)
  • 2087 WHM (SSL)
  • 2095 WEBMAIL
  • 2096 WEBMAIL (SSL)

Inbound UDP Ports

  • 21 FTP
  • 53 DNS
  • 465 SMTP (TLS/SSL)

Outbound TCP Ports

  • 20  FTP
  • 21  FTP
  • 25  SMTP
  • 26  SMTP
  • 37  RDATE
  • 43  WHOIS
  • 53  DNS
  • 80  HTTP
  • 113  IDENT
  • 465  SMTP (TLS/SSL)
  • 873  RSYNC
  • 2089  CPANEL LICENSE

Outbound UDP Ports

  • 21 FTP
  • 53 DNS
  • 465 SMTP (TLS/SSL)
  • 873 RSYNC
** If you want MySQL remote access and have modified the my.cnf according make sure you add 3306 into EG_TCP_CPORTS and IG_TCP_CPORTS
** Its best practise to add your own IPs to the white list – /etc/apf/allow_hosts.rules
Now you’ve got a software firewall monitoring your server’s incoming and outgoing requests.

Author: Kieran Barnes

Kieran is a PHP developer with 15 years commercial experience. Specialist in WordPress, CakePHP, CubeCart and all things PHP.

Leave a Reply

Your email address will not be published. Required fields are marked *