Linux Software Firewalls

Posted on February 13, 2010 by Brendan in Security

There is one main firewall script I use everywhere. It is extremely simple to use and installs quickly.

Advanced Policy Firewall (APF)

Simple Settings to Configuring APF

My preferred text editor is vim, use nano or whatever else you prefer. Substitute my preference with your own with the below commands.

vi /etc/apf/conf.apf

This is the config file. As a sysadmin, I hate wasting time typing things out and therefore love being able to type “vi /etc/apf/conf” and then press Tab to finish the command for me. Well named guys.

DEVEL_MODE

Be familiar with DEVEL_MODE, you need to have it turned off for production operations. With it turned on, your firewall rules will flush to to none every 5 minutes. It’s designed for you to test your settings work, but if you lock yourself out you’ll get access in 5 minutes time again.

IFACE_IN / IFACE_OUT

If you’re using a virtual machine, you may have something other than eth0. Be sure to change it to the untrusted or public network interface.

SET_MONOKERN

If you install APF on a virtual machine, VPS, VE (virtual environment), or whatever you want to call it, and you don’t have access to the kernel you might have to change this to 1 for it to work.

SYSCTL_SYNCOOKIES

This will turn on syn cookies for you. Can help filter out SYN denial of service attacks by flagging packets.

IG_TCP_CPORTS

The permitted inbound TCP ports. Very important. Basically put in all the port numbers you want to be publicly open. For example, HTTP (80) and DNS (53). If you want to allow access to certain IP addresses only, but not the world, don’t include them here.

IG_UDP_CPORTS

The permitted inbound UDP ports. I see FTP (21) and DNS (52) in these a lot, I don’t think it is necessary though.

IG_ICMP_TYPES

Internet Control Message Protocol (ICMP) or commonly called ping (basically the ping command uses this protocol to test connections). Each type of ICMP state corresponds with a number, which you can permit or block. Read about the states and results on Wikipedia, I’m not going into them. The idea being you  can block ping on your server, if a hacker pings you to see if your host is online it can response with request timed out, and they might move on.

EGF

“Outbound (egress) filtering”. Set to 0 or disabled by default. It allows you to filter outbound connections to your server. This is the master on/off switch for the feature.

EG_TCP_CPORTS

Outbound TCP Ports to allow.

EG_UDP_CPORTS

Outbound UDP ports to allow.

EG_ICMP_TYPES

Outbound ICMP or ping types to allow. Again, read about the states and results on Wikipedia to save me going into it.

Other Firewalls – CSF (ConfigServer Security &  Firewall)

If you use a cPanel server, CSF (ConfigServer Security &  Firewall) is very popular and integrates with Web Hosting Manager (WHM). I’m not going to talk about it here, but check out the feature lists and download it at the developers website, ConfigServer.

Similar Posts:

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
Tags: , , , .

What are your thoughts?