APF Firewall

Advanced Policy Firewall, or APF, is a firewall sometimes seen on Liquid Web’s servers. It is basically an interface to iptables, which is the standard interface to managing network ports on Linux machines. Interacting with iptables can be complex and error-prone, and APF greatly simplifies working with it. However, APF is still only accessible by ssh. There is no way to make changes in APF through WHM or cPanel.

All of the APF configuration files are located in the /etc/apf folder on your server.  Within this folder the allow_hosts.rules file contains all of the IP addresses that are whitelisted for the server and the deny_hosts.rules file contains all of the IPs that are being blocked by the firewall.  Within the deny_hosts.rules file each IP that is being blocked should also include a reason behind the block(most of them will be blocked by bfd, which blocks IPs attempting to brute force the server).

To block an IP in the firewall, simply ssh in as root and run the following command:

apf -d
If the IP has previously been whitelisted, that command will give you this error: already exists in /etc/apf/allow_hosts.rules

You’ll need to open /etc/apf/allow_hosts.rules in your preferred text editor and remove the IP before you can block it in the firewall. If your setup is more recent, this command may work to get the IP out of allow_hosts.rules:

apf -u

Starting, stopping, and restarting apf can be easily done via the command line:

apf -s This will start apf if it is not running.

apf -r This will restart apf.

apf -f This will stop apf and flush all rules from the firewall.

White-listing an IP

If you have an IP address that you would like never to be added to the firewall (also known as whitelisting), simply run this command as root:

apf -a

(be sure to replace with the IP address in question)
If the IP address is currently being blocked by the firewall, you will get an error: already exists in /etc/apf/deny_hosts.rules

If that happens, you will need to open /etc/apf/deny_hosts.rules in your favorite text editor and remove the IP address before it can be added to the whitelist. If your setup is more recent, you may be able to run the following to remove the IP address from deny_hosts.rules:

apf -u

Opening a port in the apf firewall

By default apf is configured in such a way that all ports are blocked besides the ones specifically allowed to be open to the world.  To allow access to additional ports, the main apf configuration file needs to be edited.

Please be advised that making a change to the apf configuration file has to be done via hand at the command line. If you do not feel comfortable making these changes feel free to contact a systems administrator at Liquid Web to assist with any configuration changes that need to occur.

First open the apf.conf file
vim /etc/apf/conf.apf
Within this file the file that needs to be changed starts with IG_TCP_CPORTS= and looks like this:

Now this line needs to be edited to include the additional port.

  • Within vim hit a to enter insert mode.
  • Within insert mode add the additional port to the current list followed by a comma.
  • Now hit escape(esc) to exit insert mode.
  • To write and save the changes type :wq and hit enter.
  • After these changes have been done restart apf with this command: apf -r

These instructions are for opening a TCP port.  If a UDP port also needs to be opened up the instructions are the same except the line that needs be edited is the IG_UDP_CPORTS line.


Liquid Web’s Heroic Support is always available to assist customers with this or any other issue. If you need our assistance please contact us:
Toll Free 1.800.580.4985
International 517.322.0434

Tagged with:

Published by

Be Sociable, Share!