Excuse my ignorance here, but can someone please tell (in layman's terms) how necessary and effective APF is on a dedicated box? And, is it really worth the extra CPU/resource overhead it costs? Does it block ports/etc, or just check logs to find-out hack attempts, etc?

As a newbie, I have been trying to understand this for a while, and any insight would be appreciated.

APF allows you to configure the Firewall on your Linux server. It is really essential to have at least a firewall on your server, at least that should give you a level of security.

Think about it this way, putting a server on the internet is like taking a swim in shark-infested waters. With a firewall, you are pretty much in the water in a mini-sub or a cage.

As for resources, it depends on the traffic level or also how complex is your rulesets. For most purposes, it should be sufficient and you should not really cost too much in terms of overheads.

Yes, it can block ports, logs hack attempts and so on, it all depends on how you can configure it.

Actually, a firewall is not as necessary as people make them sound depending how well you secure your system. Firewalls drop incoming packets on specified ports so they can't affect such and such a service. Well, if there is no service listening on that port (i.e. you properly disabled any services you don't want running), than there's nothing those packets can really do.

But there is another reason for firewalls such as APF - outgoing packet filtering. If, by chance, you get infected with a script that attempts to DDoS another server, the firewall can block outgoing packets on all ports but specific ones you specify (i.e. http). And what's more? You can block specific IP/IP ranges that may be giving you trouble.

Now do I recommend you installing a firewall of some sort? Definitely! I run firewalls on all my servers because if nothing else, it gives me a buffer for future exploits that may effect such and such a kernel or something. It also allows me to keep my customers happy by banning IPs that attempt to DoS their site.

Thanks for the explanation...

When I first got my linux web server I would get emails every morning of people trying hundred-thousands of times to log into my web server. Now with BFD and APF, all I get is an email that says some idiot tried to log in and his IP was banned.

Can't beat that.