Advanced Policy Firewall
iptables-based firewall with intuitive policy syntax
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today's Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file.
APF employs a three-fold filtering approach. Static rule-based policies provide unchanging firewall instructions. Connection-based stateful policies distinguish legitimate packets for known connections. Sanity-based policies match traffic patterns against known attack methods and enforce Internet standards compliance such as source IP forgery detection.
18
3d
31
7d
139
30d
411
90d
1.72k
1y
Feb 18 — Feb 21
Features
Filtering
- Granular inbound and outbound network filtering
- User ID based outbound network filtering
- Application based network filtering
- Global TCP/UDP port and ICMP type filtering with multiple methods (drop, reject, prohibit)
- Advanced packet sanity checks including fragmented UDP, port zero floods, ARP poisoning
Trust & Blocking
- Trust based rule files with advanced syntax: proto:flow:[s/d]=port:[s/d]=ip(/mask)
- Global trust system with rules downloaded from a central management server
- Reactive Address Blocking (RAB) — next generation in-line intrusion prevention
- DShield.org block list support and Spamhaus DROP list support
- Configurable policies for each IP on the system with convenience variables
Performance & Configuration
- Fast load feature allowing 1000+ rules to load in under 1 second
- Detailed and well-commented configuration file
- Debug mode for testing new features and configuration setups
- Inbound and outbound network interfaces independently configurable
- Dynamic DNS resolver configuration
- Configurable connection tracking with kernel hooks for syn-flood hardening
- Comprehensive error checking to prevent configuration mistakes
Installation
$ git clone https://github.com/rfxn/advanced-policy-firewall.git
$ cd advanced-policy-firewall
$ sudo ./install.shVerify Download
MD5 Signature Verification
Always verify the integrity of downloaded packages before installation.
$ wget https://www.rfxn.com/downloads/apf-current.tar.gz
$ wget https://www.rfxn.com/downloads/apf-current.tar.gz.md5
$ md5sum -c apf-current.tar.gz.md5Downloads & Resources
Community & Publications
Notable
Tutorials & Articles
- How to Configure and Use APF Firewall— Liquid Web
- Install and Configure APF on CentOS— HowToForge
- Installing and Configuring APF— A2 Hosting
- How to Install APF on Your Dedicated Server— InMotion Hosting
- Locking Down Your Linux Server with APF + BFD— Snipe.Net
- How to Install apf-firewall on Ubuntu— GeeksforGeeks
- Install APF on Rocky Linux 9 / Alma Linux 9— UnixCop