General

We have confirmed that generic csf works on:openSUSE v11Debian v4.0Adding these two to the supported OS list.

Changes:

• Fixed a problem in v4.* where use of GALLOW and ALLOWDYN was allowing connections from blocked IP addresses in csf.deny or temporary blocks. The GALLOW, GDENY and ALLOWDYN chains have been split into GALLOWIN, GALLOWOUT, GDENYIN, GDENYOUT, ALLOWDYNIN and ALLOWDYNOUT to correct this. Many thanks to Brian for his help in tracking this issue down.

Changes:

• Updated various comments in csf.conf
• Fixed call to csfpost.sh from csf

Changes:

• Modified lfd Login Failure tracking to use a per IP address rolling LF_INTERVAL window rather than a static one for all tracked IPs. This makes login failure counting more accurate and blocking more responsive
• Added new feature – Block Reporting. lfd can run an external script when it performs and IP address block following for example a login failure. BLOCK_REPORT is to the full path of the external script. See readme.txt for format details
• If csf is installed or upgraded via an SSH session the connecting IP address will now be automatically added to csf.allow (note: it is not added to csf.ignore so lfd may still block it). This IP can be removed after testing if desired
• Modified the lfd.log format to the standard: :: lfd[]: If you parse lfd.log you will need to update your scripts!
• Added DEBUG option – for internal use only

Changes:

• Fixed addition of exe:/usr/libexec/hald-addon-keyboard to csf.pignore for existing installations
• Modified the calculation for the position of LOCALOUTPUT in the OUTPUT chain
• Added /etc/cron.d/lfdcron.sh to restart lfd daily
• Added exe:/usr/libexec/dovecot/imap and exe:/usr/libexec/dovecot/pop3 and exe:/usr/sbin/mysqld_safe to csf.pignore
• Modified SCRIPT_ALERT regex to cope with exim log format changes in FC8+
• As per RFC5322, adding port 587 to the default TCP_IN list of ports for new installations (i.e. it is now recommended for SMTP servers to offer port 587 access for MUA to MTA traffic rather than port 25 which is for MTA to MTA traffic)
• Added informational text to Process Tracking email report if a process is running an executable that has been deleted
• Added csf version to the daemon startup log line in lfd.log

Changes:

• Added /usr/libexec/hald-addon-keyboard to csf.pignore
• Modified the static DNS port rules to always allow all OUTGOING (only) connections to/from port 53 udp/tcp. This should help the situation where some servers iptables block outgoing port 53 udp connections despite the port being open
• Added new option DNS_STRICT which will remove all static DNS rules and allow access only through SPI. For stability reasons, it would be advisable to leave this option disabled (default)