Hi and welcome to my first blog post, this blog won’t be updated regularly; just when I’ve found a fix or something interesting to post about. Sorry for the look didn’t go much on design, just wanted to get straight to the posting blogs.
For my first blog I’m posting about using apf with systemd, apf is a wrapper for iptables, more details can be found here:
apf is a very good firewall an alternative is csf:
https://configserver.com/cp/csf.html
csf is firewall+, whereas apf approach is do one job and do that job well. A great tool when combined with fail2ban and mod-security rules. All of these are great tools when you manage quite a few Apache webservers, saves on configuring a ton of iptables rules for each server.
My only issue with apf is that it is started with an init.d script, that just reports OK doesn’t advise whether iptables has actaully started or not. But if we create a systemd unit file instead:
/lib/systemd/system/apf.service
[Unit] Description=apf firewall with iptables After=syslog.target network.target [Service] RemainAfterExit=yes ExecStart=/usr/local/sbin/apf --start ExecStop=/usr/local/sbin/apf --stop Restart=on-failure RestartSec=5 [Install] WantedBy=basic.target
systemctl daemon-reload
systemctl enable apf
systemctl start apf.
Now if we issue:
systemctl status apf
We can clearly see now if iptables has initialized or not. I was hoping to find a way to get apf to fail if iptables has any issues, but was unable to work this out on centos 7. If anyone has any thoughts on this please comment.
I hope somebody find this of use, all comments are welcome.
Thanks Tom.