General

New csf v4.11

Changes:

  • Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore for existing installations
  • Modified the calculation for the position of LOCALOUTPUT in the OUTPUT chain
  • Added /etc/cron.d/lfdcron.sh to restart lfd daily
  • Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3 and exe:/usr/sbin/mysqld_safe to csf.pignore
  • Modified SCRIPT_ALERT regex to cope with exim log format changes in FC8+
  • As per RFC5322, adding port 587 to the default TCP_IN list of ports for new installations (i.e. it is now recommended for SMTP servers to offer port 587 access for MUA to MTA traffic rather than port 25 which is for MTA to MTA traffic)
  • Added informational text to Process Tracking email report if a process is running an executable that has been deleted
  • Added csf version to the daemon startup log line in lfd.log

New csf v4.10

Changes:

  • Added /usr/libexec/hald-addon-keyboard to csf.pignore
  • Modified the static DNS port rules to always allow all OUTGOING (only) connections to/from port 53 udp/tcp. This should help the situation where some servers iptables block outgoing port 53 udp connections despite the port being open
  • Added new option DNS_STRICT which will remove all static DNS rules and allow access only through SPI. For stability reasons, it would be advisable to leave this option disabled (default)

New csf v4.09

Changes:

  • Modification to cPanel version to restart chkservd using /scripts/restartsrv_chkservd instead of the init script as the latter is removed in the latest EDGE release that puts chkservd under the control of tailwatchd (/scripts/restartsrv_chkservd is a stub for restarting tailwatchd in the latest EDGE instead of a direct restart script in older cPanel versions). chkservd is restarted when csf is installed/uninstalled/upgraded/disabled/enabled

New csf v4.08

Changes:

  • Added a new timing system to more accurately trigger lfd tasks. This should alleviate timing issues such as those seen with LT_POP3D and LT_IMAPD and improve the overall effectiveness and performance of lfd
  • Added new method for reaping child processes. If you find that zombie lfd processes start to build up you can revert to the old reaper by enabling new option OLD_REAPER

New csf v4.07

Changes:

  • Messenger service now supports advanced filter permanent port block redirection

New csf v4.06

Our apologies for the slew of updates due to the major changes in v4. Hopefully things will settle down again now ;)Changes:

  • Moved the GALLOW, GDENY, SPAMHAUS, DSHIELD and DYNDNS rules to the LOCALxxPUT chains so that the entries can be correctly listed with ACCEPT’s at the top and DENY’s at the bottom of the chain
  • Repositioned the cPanel Bandmin acctboth rule entry in the INPUT and OUTPUT chains so that bandwidth accounting is kept accurate
  • Fixed a problem processing advanced port filters in GLOBAL_ALLOW and GLOBAL_DENY

New csf v4.05

Change aimed at addressing DNS resolver issues:

  • Moved resolver ACCEPT rules to the top of the INPUT and OUTPUT chains

New csf v4.04

Changes:

  • Fixed problem with rule placement for ETH_DEVICE_SKIP
  • Ensure all ALLOW requests are inserted before DENY requests after csf has been restarted
  • Ensure that fwlogwatch stats creation uses IPTABLES_LOG file
  • Only perform operations on the nat table if MESSENGER service is enabled
  • lfd Process Tracking will now ignore MESSENGER_USER messenger services
  • Added new option PT_ALL_USERS so that all Linux accounts on a cPanel server are checked in Process Tracking, not just cPanel users. This option is disabled by default on cPanel servers. Enabling this option may require adding exceptions to csf.pignore
  • Additional exceptions added to csf.pignore for cPanel servers for the new PT_ALL_USERS option
  • PT_SKIP_HTTP now disabled by default for new installations
  • Added PT_ALL_USERS and PT_SKIP_HTTP checks to the WHM Server Check

New csf v4.03

Changes:

  • Fixed problem where the new LOCALxxPUT chains were only processing tcp requests
  • Fixed problem with insertion of SMTP_BLOCK rules exceeding the rule count in the OUTPUT chain under certain circumstances

New csf v4.02 (Released from BETA)

Changes for v4:

  • New feature – Messenger Service. This feature allows the display of a message to a blocked connecting IP address to inform the user that they are blocked in the firewall. This can help when users get themselves blocked, e.g. due to multiple login failures. The service is provided by two daemons running on ports providing either an HTML or TEXT message. See csf.conf and readme.txt for more information