ConfigServer Services Blog

New csf v4.06

Our apologies for the slew of updates due to the major changes in v4. Hopefully things will settle down again now ;)Changes:

  • Moved the GALLOW, GDENY, SPAMHAUS, DSHIELD and DYNDNS rules to the LOCALxxPUT chains so that the entries can be correctly listed with ACCEPT’s at the top and DENY’s at the bottom of the chain
  • Repositioned the cPanel Bandmin acctboth rule entry in the INPUT and OUTPUT chains so that bandwidth accounting is kept accurate
  • Fixed a problem processing advanced port filters in GLOBAL_ALLOW and GLOBAL_DENY

New csf v4.05

Change aimed at addressing DNS resolver issues:

  • Moved resolver ACCEPT rules to the top of the INPUT and OUTPUT chains

New csf v4.04

Changes:

  • Fixed problem with rule placement for ETH_DEVICE_SKIP
  • Ensure all ALLOW requests are inserted before DENY requests after csf has been restarted
  • Ensure that fwlogwatch stats creation uses IPTABLES_LOG file
  • Only perform operations on the nat table if MESSENGER service is enabled
  • lfd Process Tracking will now ignore MESSENGER_USER messenger services
  • Added new option PT_ALL_USERS so that all Linux accounts on a cPanel server are checked in Process Tracking, not just cPanel users. This option is disabled by default on cPanel servers. Enabling this option may require adding exceptions to csf.pignore
  • Additional exceptions added to csf.pignore for cPanel servers for the new PT_ALL_USERS option
  • PT_SKIP_HTTP now disabled by default for new installations
  • Added PT_ALL_USERS and PT_SKIP_HTTP checks to the WHM Server Check

New csf v4.03

Changes:

  • Fixed problem where the new LOCALxxPUT chains were only processing tcp requests
  • Fixed problem with insertion of SMTP_BLOCK rules exceeding the rule count in the OUTPUT chain under certain circumstances

New csf v4.02 (Released from BETA)

Changes for v4:

  • New feature – Messenger Service. This feature allows the display of a message to a blocked connecting IP address to inform the user that they are blocked in the firewall. This can help when users get themselves blocked, e.g. due to multiple login failures. The service is provided by two daemons running on ports providing either an HTML or TEXT message. See csf.conf and readme.txt for more information

Feedback for csf v4 beta

For those that have tried the new messenger service with the csf v4 beta, please feel free to post a comment about your experience, good bad or indifferent here 🙂

New csf v4.01 *BETA*

This update is ONLY to the v4 BETA release of csf.Changes:

  • Allow the Messenger Service to be used on VPS servers. However, if the ipt_REDIRECT module is missing csf will fail to start correctly and abort
  • HTML Messenger service server now only reads a limited line length instead of unlimited input to prevent overflows

Download available here and requires manual installation:http://www.configserver.com/free/csfv4beta.tgz

New csf v4.00 *BETA*

This is a BETA release of csf v4.00 which introduces a major new feature and a reworking of the iptables chains and rules. While extensive testing has been done, it is eminently possible that this release may contain bugs. Please do not use this release if you’re not prepared to help troubleshoot the new features and are not familiar with the Linux root shell.For this beta release ONLY, users can log helpdesk tickets ONLY if they find problems with the new features. If this is not adhered to the tickets will simply be closed.Changes:

  • New feature – Messenger Service. This feature allows the display of a message to a blocked connecting IP address to inform the user that they are blocked in the firewall. This can help when users get themselves blocked, e.g. due to multiple login failures. The service is provided by two daemons running on ports providing either an HTML or TEXT message. See csf.conf and readme.txt for more information (not available on VPS platforms and others missing the ipt_REDIRECT kernel module)
  • Moved INPUT and OUTPUT chain rules for blocks and allows to their own respective chains LOCALINPUT and LOCALOUTPUT. This means that no IP blocks will be listed in the INPUT or OUTPUT chains, but in the new ones
  • Re-organised all of the INPUT and OUTPUT chain rules to give precedence to the LOCALINPUT rules before invoking other chains and port ALLOW rules
  • Moved the SYNFLOOD protection chain rule to be the first chain rule after the LOCALINPUT chain rule
  • Moved the lo device rules to the always be at the top of the INPUT and OUTPUT chains
  • Modified the syslog regex matches to only match on local entries to cope with centralised syslog configurations

Download available here and requires manual installation:http://www.configserver.com/free/csfv4beta.tgz

New MailScanner Script v2.68

Changes:

  • Brought MailScanner In Only exim init script inline with the latest from cPanel with the use of tailwatchd
  • New Mailscanner v4.71.10:http://www.mailscanner.info/ChangeLog