Release Notes:
This release includes the latest iteration of the Tortix Web Application Firewall (or T-WAF for short). The T-WAF is the next generation of the initial external WAF piloted with the plesk WAF module. It allows for dynamically redirecting local HTTP/HTTPS based traffic directly through the T-WAF module using firewall redirect rules. This is titled as a "local redirect", additionally the T-WAF supports "plesk" mode which replaces the original plesk-waf-setup application. Lastly, the T-WAF supports "remote" which allows the ASL server to act as a reverse proxy for downstream web servers.

As of this release the T-WAF module is considered a beta project and is not enabled by default. Users interested in beta-testing the T-WAF can activate it with:
yum install asl-waf-module

The T-WAF will be licensed separately in a future release.

The 3.0.23 update also includes a beta feature allowing management of the default WAF response policy. Previously web attacks were handled as block inline, this update allows for the "redirect" response to a user defined URL. This URL can be used to pass information on the nature of the blocked attack including rule id, src ip, and internal event id.


Changelog:
- Add Tortix WAF (T-WAF)
- Retire plesk-waf-setup (replaced by T-WAF)
- Update, Add UNSUPPORTED to version info when distribution cannot be identified
- Update, support for status to the asl-firewall init script
- Update, ASL Web Corrects corrupt serialized data error
- Update to asl_db_rotate, TODO what is token here for archive on/off?
- Update, Changed default behavior of database setup to yes when selecting database installs
- Update, create a common asl firewall rule clearing function, used by the global asl-firewall init script
- Update, ASL Web, categories are now sorted alphabetically
- Update, Add check for /etc/asl/waf-config on permissions check
- Update, Ignore /usr/local/psa/var/cgitory by default in integrity checks
- Feature Request #425, add support for the Spamhaus lasso blacklist
- Feature Request #442, add blacklit support for TOR exit nodes. Adds new config token, FW_TOR
- Feature Request #785, add support for the Dshield blacklist of top attacking networks.
- Feature Request #792, add syn-flood protection. New config token: FW_SYN_COOKIES
- Feature request #814, HIDS limit email notifications to alrts greater than level X
- Feature Request #820, WAF deny & redirect management subsystem. Adds the config tokens WAF_DEFAULT_ACTION, and WAF_REDIRECT_URL
- Feature Request #XXX, add port tracking field for "embedded" waf type
- Feature Request #XXX, automatic updates are now randomized between +1-15 minutes after launch time.
- Bugfix #XXX, change from reload to graceful restarts with tortixd. This should fix blank asl -u windows in ASL Web
- Bugfix #XXX, installer will now store network info to / instead of /tmp.
- Bugfix #XXX, Fix for remote database support
- Bugfix #XXX, Fix for continue y/n prompt in database setup
- Bugfix #XXX, Remove a mod_security binary if its already there before installing a new one. This corrects a really wierd condition when it already exists on source/anarchy installs.

To upgrade:
asl -u

Awesomeness <3

Looks great! I love the deny/redirect option and the additional blacklists

We're going to expand the redirect system so that users can:

1) report false positives to the system owner (who can then choose to report them to us)
2) disable rules globally by domain (if you are allowed to, more on that in a moment)
3) whitelist IPs (as with 2)
4) temporarily whitelist IPs
5) "whitelist" a session, for example perform a CAPTCHA and get temporarily trusted

We're working on a system of delegation, so you can define policies for your system. For example, you might say "Spam rules can be disabled by domain by the domain owner", or "SQL rules can only be controlled by the system owner". Or variations in between. Your feedback on this upcoming enhancement is greatly appreciated, because its for you! So let us know what would help you and your users.

That all sounds excellent!

On a different note, I've noticed the asl-firewall restarting every hour now since the update. Is this now normal behavior? It takes quite some time for my firewall to reload.

I assume it's reloading some/all of the new blacklists on an hourly basis?

Can I ask how the new firewall elements are added to iptables? I'm trying to figure out how it will interact with APF.

They all use named tables like this: ASL-<name>

Since upgrading to ASL 3.0.23 I see messages like the following in between the output lines of 'asl -s -f':



Is this expected behavior? Anything to worry about?

Is there an easy way for me to disable the firewall from reloading every hour? Sometimes it takes more than an hour for it to reload...so, now it appears that two instances of asl-firewall are reloading and it's killing my server.

What kernel do you have installed on this server? (uname -a)

Linux mydomain.com 2.6.32.43-6.art.x86_64 #1 SMP Thu Jul 14 14:14:48 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

I did remove a quite a few of the countries I had added to the geo-blocking list, so it's now reloading much faster. If there is still some other way I can speed that up it would be great. It's currently taking about 30 minutes to reload since I made that change.