This update contains the beta version of the Fast-Mode firewall system. We called it "Fast" because its fast.. real fast. Previous firewalls could take minutes or even hours to load large rulesets, the ASL Fast-Mode firewall will load hundreds of thousands of rules in seconds.
* Its fast. Real Fast.
* Inbound TCP services list (FW_INBOUND_TCP_SERVICES)
* Inbound UDP services list (FW_INBOUND_UDP_SERVICES)
* Outbound TCP services list (FW_OUTPUT_TCP_SERVICES)
* Outbound UDP services list (FW_OUTPUT_UDP_SERVICES)
* Dshield, Lasso, and TOR blacklists (FW_DSHIELD, FW_LASSO, FW_TOR)
* Faster (real fast!) loading of existing blacklist/geo-blacklist sets
* User ID limited firewall rules for SMTP traffic from the ACL list /etc/asl/firewall/mta-output-acl. When enabled, only users on this list will be able to connect to external mail servers, preventing untrusted web users from bypassing the internal MTA through the use of spam bots.
* Tortixd ACL list (/etc/asl/firewall/tortixd-access-list), when enabled this is a list of IP's allowed to connect to the ASL Web interface
* Support for user defined rules through ASL Web
* All rules are moved to named ASL- chains.
As a beta component, new features introduced the ASL Fast-Mode firewall are disabled by default. Existing components from the legacy ASL firewall such as the geo-blacklist will take advantage of the new fast-mode loading capabilities with no additional configuration required. While we took pains to make the ASL Fast-mode firewall compatible with other rule management interfaces, we recommend removing or otherwise disabling other firewall management systems. Therefore, third party firewall management tools are not supported.
- Add Fast-Mode firewall system
- Add New monitoring capabilities added: load, diskspace and listeners
- Update, T-WAF, force fix mode if tortix_waf.conf is not detected
- Update, ASL Web, firewall rule changes are saved across reboots
- Update, Configuration, mysql administrator username defaults to "root"
- Update, File integrity, add aqueduct directories to ignores
- Feature Request #628, Add MTA firewall rule group (/etc/asl/firewall/mta-output-acl)
- Bugfix #XXX, ASL Web, Fixes issues with rule edit in firewall window
- Bugfix #XXX, firewall, detect /proc based controls more accurately
- Bugfix #XXX, add more redundancy to waf/tortix proxy configs. This will now purge old versions when configs are blank, in addition to linting configs when they are not blank
- Bugfix #XXX, only write to file if $waf_redirect has something in it
- Bugfix #XXX, ssh_check, fix for enabling password auth when ADMIN users are not defined
- Bugfix #XXX, asl-firstboot, fix path for asl-firstboot's network info file, and add in a post-success cleanup event
1) asl -u
yum upgrade asl asl-web asl-waf-module
2) reload your firewall rules:
service iptables restart
service asl-firewall restart