Added new option CC6_LOOKUPS. This adds IPv6 support for Country Code and Country lookups
Added new option LF_NETBLOCK_IPV6. This adds IPv6 support for LF_NETBLOCK
Modified LF_LOOKUPS to use the host binary if available for more reliable IPv4 and IPv6 reverse lookups
Added IPv6 support for LF_IPSET
Added IPv6 support for CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_ALLOW_PORTS, CC_DENY_PORTS, CC_IGNORE, CC_ALLOW_SMTPAUTH (Requires CC6_LOOKUPS and CC_LOOKUPS to be enabled)
Added IPv6 support for X_ARF report where found in the Abusix Contact DB
Added IPv6 nameserver support for /etc/resolv.conf
Added IPv6 support for MESSENGER if ip6tables version >= 1.4.17 and perl module IO::Socket::INET6 is installed
Added IPv6 support for PORTFLOOD if ip6tables version >= 1.4.3
Added IPv6 support for CONNLIMIT if ip6tables version >= 1.4.3
Added IPv6 support for SYNFLOOD
Added flush of ip6tables nat table if ip6tables version >= 1.4.17
Standardise all IPv6 addresses and networks to use the short form for consist representation
Added FASTSTART support to LF_IPSET
Increased ulimit -n to 4096 in /etc/init.d/lfd
Included Net::IP for IP address manipulation
Included version perl module for version comparisons
Added missing csf.allow search to csf –grep
Added Server Check report for LF_IPSET when using Country Code filters
Fix for temporary denies allowing duplicate IP/Port blocks/allows
Speedup csf –grep [ip] when searching IPSET sets. Note: This does mean that partial IP queries will no longer match IPSET entries
Added new options LF_IPSET_HASHSIZE and LF_IPSET_MAXELEM to allow for larger ipset sets
Added option HOST as the location of the “host” binary for DNS TXT record lookups
Modified X_ARF report to include the abuse contact for a reported IP address where found in the Abusix Contact DB
Added new option X_ARF_ABUSE. This option allows for automatic sending of X_ARF reports to the IP addresses abuse contact. See csf.conf for warnings about using this option
Added binary location checking in csf and issue warnings if incorrect, not installed or not executable
Added new option PT_SSHDHUNG. Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes are often left hung after their connecting IP addresses have been blocked. This option will terminate such processes. See csf.conf for more info
Added new binaries to csf.pignore on existing cPanel installations to cater for v11.50 and CentOS v7
LF_CONSOLE_EMAIL_ALERT and LF_WEBMIN_EMAIL_ALERT now default to 1 for new installations
Modified LF_CSF on cPanel servers to detect a change in the cPanel version and then trigger a restart of ConfigServer scripts (added cxs pure-uploadscript restart)
Added new option LF_SPI. This option configures csf iptables as a Stateful Packet Inspection (SPI) firewall – the default. If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost
Added common systemd logs to csf.logignore for new installs
Modify LF_IPSET in csf to print failure messages instead of aborting on error
On servers using systemd if firewalld found to be active, csf and lfd will not start until is is stopped and disabled as csf cannot be used with firewalld
Added option SYSTEMCTL to csf.conf as the location of the systemctl binary for use with servers using systemd
