Archive for the ‘Firewall’ Category

How to Disable and Uninstall APF Firewall Script

Type the following commands:

# service iptables stop
# chkconfig apf off
# /bin/rm -rfv /etc/apf
# /bin/rm -fv /etc/cron.daily/fw
# /bin/rm -fv /etc/init.d/apf
# iptables -L -n

This article demonstrates how to install and configure the CSF (configserver) firewall. CSF can be used on a wide range of Linux systems, including those running cPanel.

First of all if you have APF + BFD you will need to disable it, you can use the following command to do so:


You can use the following commands to install the CSF (configserver) firewall.

rm -fv csf.tgz
tar zxf csf.tgz
cd csf

To add IP address in to deny list

csf -d

To add IP address in to allow list

csf -a

How to restart csf firewall

csf -r

How to stop csf firewall

csf -x

Path of CSF configuration file on cPanel server


Path of denied IP addresses file in CSF


Path of allowed IP address file in CSF


How to add IP address in to ignorelist

login to shell then add IP address in to /etc/csf/csf.ignore

How to find IP address blocked in temporary ban.

grep /etc/csf/csf.tempban

APF i.e. Advanced Policy Firewall based iptables firewall system. APF is developed and maintained by R-fx Networks:

Following are the installing steps for APF firewall.

1) SSH to server as ROOT.

2) mkdir APF and  change directory to APF

3) wget

4) tar -xvzf apf-current.tar.gz

5) cd apf-0.9.5-1/ or whatever the latest version is.

6) Run the install file: ./
You will receive a message saying it has been installed

Installing APF 0.9.5-1: Completed.

Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/

7) Lets configure the firewall: nano /etc/apf/conf.apf

8) Configuring Firewall Ports:

Cpanel Servers
We like to use the following on our Cpanel Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500″
Common ingress (inbound) UDP ports

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]

# Common egress (outbound) TCP ports

# Common egress (outbound) UDP ports

8) Starting the firewall.
/usr/local/sbin/apf -s

Other commands:
usage ./apf [OPTION]
apf -s     ……………………. load firewall policies
apf -r   ……………………. flush & load firewall
apf -f   ……………………. flush firewall
apf -l   …………………….. list chain rules
apf -st ……………………. firewall status

Adding ip into allowed list of firewall i.e allow_hosts.rules
apf -a  ipaddress

Adding ip to deny list of firewall i.e deny_hosts.rules
apf -d ipaddress

9) After everything is fine, change the DEV option

Stop the firewall from automatically clearing itself every 5 minutes from cron.
We recommend changing this back to “0″ after you’ve had a chance to ensure everything is working well and tested the server out.

pico /etc/apf/conf.apf


10. Checking the APF Log

Will show any changes to allow and deny hosts among other things.
tail -f /var/log/apf_log

Example output:
Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from
Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from

11. New – Make APF Start automatically at boot time
To autostart apf on reboot, run this:

chkconfig –level 2345 apf on

To remove it from autostart, run this:

chkconfig –del apf


1) apf –help will display you all apf help.

2) If you are installing APF on VPS make sure to edit and make following changes.


IFACE_IN= venet0
IFACE_OUT= venet0

3) /etc/init.d/apf start