Friday, August 26, 2011

Installing APF Firewall in cPanel server

October 9, 2009 by  
Filed under cPanel

Leave a Comment

The whole process of securing a Server or network is quite extensive. I’m discussing just one major aspect of Security here – Firewalls. Specifically my topic is about APF firewall.

I’m dividing this article into 2 sections :-
The first section is for amateurs. The second section is strictly for experts, at least for those who are more well versed with the intricacies of coding, and would like to understand a bit more about what’s happening.

Installing APF Firewall for cPanel

In this section, I would like to enumerate the steps to install APF firewall for CPanel. This would help any person who decides to install APF firewall by themselves, and is maybe dreading that decision, to do so in just 13 EASY-TO-DO steps.

First of all, like all tasks, there’s a requirement list here too :

  • Linux Operating System
  • Root access to your system
  • PERL support
  • IP Table Support

When you ensure that you have everything on this check list, you can start the process of installation. I have listed the steps of code you have to use as well.

Well… Here goes….

1) Login as root to your system

2) Download the APF version (current) to your system

bash# wget

3) Now you have to extract the tar file

bash# tar -zxf apf-current.tar.gz

4) Go to the APF directory

bash# cd apf-0.9.3_3

5) Run the code for installation

bash# ./

You will be alerted when the installation is complete.

Install path : /etc/apf
Config path : /etc/apf/conf.apf
Executable path : /usr/local/sbin/apf

6) Modify the APF config file according to your user defined requirements.

bash# vi /etc/apf/conf.apf

(Hit i to enter the INSERT mode)

7) Add in the ports you want to open for inbound (INGRES).

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=” 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,

# Common ingress (inbound) UDP ports

# Common ICMP (inbound) types


The variables mentioned above are already present in the config file. You can customize the ports.

You have to particularly instruct APF to monitor outgoing (EGRESS) ports as well.

Change the line: EGF=”0″ to EGF=”1″

9) Specify the outbound ports to monitor.

# Common egress (outbound) TCP ports

# Common egress (outbound) UDP ports

# Common ICMP (outbound) types


10) Specify the ports you want to block, if any.
– The allow and deny trust files are located at:
You just have to list the ip’s that you specifically wish to allow or deny in the respective files.

– The format of these files are line-separated addresses, IP masking is supported.


Save and exit – hit ‘esc’ :wq ‘enter’

11) Start APF

bash# /usr/local/sbin/apf -s

If everything goes as planned, you’ll go back to the command line.

12) If all goes well, edit the config file and change the developer mode to 0

bash# vi /etc/apf/conf.apf

(Hit i to enter insert mode)

Change DEVM=”1″ to DEVM=”0″

Save and quit – Hit ‘esc’ :wq ‘enter’

13) Restart APF

bash# /usr/local/sbin/apf -r

Great news !!! APF is now installed and monitoring your system.

Tweaking APF

GD Star Rating
a WordPress rating system
Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Related posts:

  1. Installing PostgreSQL on cPanel Server
  2. Installing PostgreSQL on cPanel/WHM Server
  3. Installing WHMSonic Admin Pro in cPanel server
  4. Enabling passive ftp in Pure-FTPd
  5. DoS Protection via APF, BFD, DDOS and RootKit

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
Click here to cancel reply.