Advanced Policy Firewall Systemd

Hi and welcome to my first blog post, this blog won’t be updated regularly; just when I’ve found a fix or something interesting to post about. Sorry for the look didn’t go much on design, just wanted to get straight to the posting blogs.

For my first blog I’m posting about using apf with systemd, apf is a wrapper for iptables, more details can be found here:

Advanced Policy Firewall

apf is a very good firewall an alternative is csf:

csf is firewall+, whereas apf approach is do one job and do that job well. A great tool when combined with fail2ban and mod-security rules. All of these are great tools when you manage quite a few Apache webservers, saves on configuring a ton of iptables rules for each server.

My only issue with apf is that it is started with an init.d script, that just reports OK doesn’t advise whether iptables has actaully started or not. But if we create a systemd unit file instead:


Description=apf firewall with iptables

ExecStart=/usr/local/sbin/apf --start
ExecStop=/usr/local/sbin/apf --stop


systemctl daemon-reload

systemctl enable apf

systemctl start apf.

Now if we issue:

systemctl status apf

We can clearly see now if iptables has initialized or not.  I was hoping to find a way to get apf to fail if iptables has any issues, but was unable to work this out on centos 7. If anyone has any thoughts on this please comment.

I hope somebody find this of use, all comments are welcome.

Thanks Tom.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.