Do you know the coolest part from APF firewall? It can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server. This article provides guidance through DENY ALL with APF firewall.
Problem: You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.
APF Solution: 1.Login to your server as the root user. 2.cd /etc/apf 3.Use vi or nano to edit the /etc/apf/allow_hosts.rules file, e.g. vi /etc/apf/allow_hosts.rules 4.Scroll down until after their last comment with the ##. Add the following in: tcp:in:d=22:s=YOURHOMEIPHERE out:d=22:d=YOURHOMEIPHERE The d=22 part is the port, so you can repeat for other services as well to limit connections if you like. Save the changes. 5.Edit the /etc/apf/deny_hosts.rules file, e.g. vi /etc/apf/deny_hosts.rules Scroll down until the last default comment ## then below it add the following: tcp:in:d=22:s=0/0 out:d=22:d=0/0 Save the changes. 6.Restart APF firewall apf –r Your server is now only allowing connections to the SSH service from one IP using APF. To add more than one IP repeat the steps in “4” adding a new tcp and out line for each IP.
By Location