General

Changes:

• Fixed bug where iptables nat tables were not being flushed or grepped correctly

Changes:

• Modified DYNDNS and GLOBAL_DYNDNS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups
• Fixed IPv6 use of ipset for DYNDNS and GLOBAL_DYNDNS
• Added new csf CLI option: –lfd [stop|start|restart|status]. Actions to take with the lfd daemon
• Added new csf CLI option: -ra, –restartall. Restart firewall rules (csf) and then restart lfd daemon
• Fixed several output message typos for “FASTSTART”
• Disable IPv6 nat support (and MESSENGER) if ip6tables nat not provided by the local kernel
• Improve IPv6 detection on installation
• Implemented more efficient csf.conf loading in ConfigServer::Config

Changes:

• Modify ConfigServer::CheckIP to cope with entries not passed by reference

Changes:

• Added new option CC6_LOOKUPS. This adds IPv6 support for Country Code and Country lookups
• Added new option LF_NETBLOCK_IPV6. This adds IPv6 support for LF_NETBLOCK
• Modified LF_LOOKUPS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups
• Added IPv6 support for LF_IPSET
• Added IPv6 support for CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_ALLOW_PORTS, CC_DENY_PORTS, CC_IGNORE, CC_ALLOW_SMTPAUTH (Requires CC6_LOOKUPS and CC_LOOKUPS to be enabled)
• Added IPv6 support for X_ARF report where found in the Abusix Contact DB
• Added IPv6 nameserver support for /etc/resolv.conf
• Added IPv6 support for MESSENGER if ip6tables version >= 1.4.17 and perl module IO::Socket::INET6 is installed
• Added IPv6 support for PORTFLOOD if ip6tables version >= 1.4.3
• Added IPv6 support for CONNLIMIT if ip6tables version >= 1.4.3
• Added IPv6 support for SYNFLOOD
• Added flush of ip6tables nat table if ip6tables version >= 1.4.17
• Standardise all IPv6 addresses and networks to use the short form for consist representation
• Added FASTSTART support to LF_IPSET
• Increased ulimit -n to 4096 in /etc/init.d/lfd
• Included Net::IP for IP address manipulation
• Included version perl module for version comparisons
• Added missing csf.allow search to csf –grep
• Added Server Check report for LF_IPSET when using Country Code filters

Changes:

• Fix for temporary denies allowing duplicate IP/Port blocks/allows
• Speedup csf –grep [ip] when searching IPSET sets. Note: This does mean that partial IP queries will no longer match IPSET entries
• Added new options LF_IPSET_HASHSIZE and LF_IPSET_MAXELEM to allow for larger ipset sets
• Added option HOST as the location of the “host” binary for DNS TXT record lookups
• Modified X_ARF report to include the abuse contact for a reported IP address where found in the Abusix Contact DB
• Added new option X_ARF_ABUSE. This option allows for automatic sending of X_ARF reports to the IP addresses abuse contact. See csf.conf for warnings about using this option
• Added binary location checking in csf and issue warnings if incorrect, not installed or not executable

Changes:

• Added new option PT_SSHDHUNG. Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes are often left hung after their connecting IP addresses have  been blocked. This option will terminate such processes. See csf.conf for more info
• Added new binaries to csf.pignore on existing cPanel installations to cater for v11.50 and CentOS v7
• LF_CONSOLE_EMAIL_ALERT and LF_WEBMIN_EMAIL_ALERT now default to 1 for new installations
• Updated Server Check ipv6 detection
• Updated sanity checks

Changes:

• Added warning on cPanel servers for GreyListing
• Fixed issue with RedHat/CentOS/CloudLinux v7 where local IPs were not being successfully detected from IFCONFIG