How to make APF and Fail2ban work together
By default fail2ban is configured to work with iptables; this generates a configuration conflict with APF because fail2ban adds a chain to iptables and when you reload APF it wipes that fail2ban chain each time.
Fortunately you can configure fail2ban to have many different actions, this allows it to be able to work with iptables, shorewall, etc.
To make APF and fail2ban work together we just need to add an apf action to fail2ban:
I created the /etc/fail2ban/action.d/apf.conf based on the shorewall.conf and we just need to edit actionban and actionunban to this:
actionban = apf --deny
actionunban = apf --remove
Then we have to configure fail2ban to use apf by editing the /etc/fail2ban/jail.conf file the line we are looking for is
banaction = apf