From 7d2df3b5cf25a249847e5e6f9459f5026870934c Mon Sep 17 00:00:00 2001 From: Ryan MacDonald Date: Tue, 4 Feb 2014 04:29:07 -0500 Subject: [PATCH] [Change] updates --refresh|-e to utilize new consolidated allow/deny functions and improve performance of refresh (reload) operations [Change] modified CHANGELOG versioning history to contain release dates back to initial Mar 2003 release [Change] modified cron.daily to use init script restart operation instead of hard flushing and starting with CLI wrapper [Change] updated copyright dates in all output and file headers --- .ca.def | 17 ++- CHANGELOG | 150 +++++++----------------- README | 7 +- apf.init | 7 +- cron.daily | 4 +- files/VERSION | 2 +- files/apf | 31 ++--- files/conf.apf | 17 ++- files/extras/dshield/README | 10 -- files/extras/dshield/cron.ds | 2 - files/extras/dshield/dshield-3.2.tar.gz | Bin 29866 -> 0 bytes files/extras/dshield/install | 23 ---- files/extras/get_ports | 25 +--- files/extras/importconf | 25 +--- files/firewall | 25 +--- files/internals/functions.apf | 37 ++---- files/internals/internals.conf | 2 +- files/vnet/main.vnet | 25 +--- files/vnet/vnetgen | 26 ++-- importconf | 25 +--- install.sh | 26 ++-- 21 files changed, 136 insertions(+), 350 deletions(-) delete mode 100644 files/extras/dshield/README delete mode 100644 files/extras/dshield/cron.ds delete mode 100644 files/extras/dshield/dshield-3.2.tar.gz delete mode 100755 files/extras/dshield/install diff --git a/.ca.def b/.ca.def index dd08b32..1f816af 100755 --- a/.ca.def +++ b/.ca.def @@ -1,16 +1,15 @@ cat > .conf.apf < -# Copyright (C) 2007, Ryan MacDonald -# This program may be freely redistributed under the terms of the GNU GPL -# +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # NOTE: This file should be edited with word/line wrapping off, -# if your using pico/nano please start it with the -w switch -# (e.g: pico -w filename) -# NOTE: All options in this file are integer values unless otherwise -# indicated. This means value of 0 = disabled and 1 = enabled. +# if your using pico/nano please start use the -w switch +# (e.g: nano -w filename) ## # [Main] diff --git a/CHANGELOG b/CHANGELOG index 770bc1f..b0be112 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,15 @@ -- 9.7 -(rev:3) +- 1.7.5 | Feb 4th 2014: +[New] Versioning scheme changed as follows: + - MAJOR#.MINOR#.REVISION# + - [0.]9.7-3 becomes 1.7.3 + - 1.7.3 Mar 11th 2013 contained many backported items from dev tree that became 1.7.4; merged trees into 1.7.5 + - New versioning scheme will become consistent across all rfxn.com projects + - Pending release of APF2 (2.0.0) will provide robust IPv6 support + - The old versioning scheme had no real value and had become a never + ending release tree +[Change] updates --refresh|-e to utilize new consolidated allow/deny functions and improve performance of refresh (reload) operations +[Change] modified CHANGELOG versioning history to contain release dates back to initial Mar 2003 release +[Change] modified cron.daily to use init script restart operation instead of hard flushing and starting with CLI wrapper [Change] replace IFACE_IN/OUT variables with IFACE_UNTRUSTED variable in conf.apf [Change] removed defunct crondcheck() function [Change] modified devel mode function to use cron.d file instead of directly editing /etc/crontab @@ -23,6 +33,7 @@ [Change] preroute rules now load before implicit trust on loopback interface traffic so rules can be applied against loopback traffic if so desired [Change] consolidated TMP_DROP and TMP_ALLOW chains into REFRESH_TEMP +[Change] updated copyright dates in all output and file headers [Fix] trust rules refresh cronjob modified to remove MAILTO & SHELL variables which were causing crond 'bad minute' errors on some systems [Fix] reordered chain flushes on refresh() to avoid any possible packet loss or loss of connectivity @@ -37,7 +48,7 @@ [Fix] in some situations, RABPSCAN would not enable due to kernel module extension variable not being scoped properly and the check_rab function returning that the kernel did not support ipt/xt_recent. -(rev:2) +- 0.9.7-2 | Feb 19th 2012 [Fix] xt/ipt_recent module path changed under RHEL/CentOS 6 [Fix] kernel version tests for 2.4/2.6 kernel modules failed under kernel 3.x [Change] RAB should default to a minimal level of sensitivity; lowered RAB_PSCAN_LEVEL to 1 @@ -50,7 +61,7 @@ [Change] TOS mangling now applies to UDP traffic [Change] default conntrack limit increased to 65536 -(rev:1) +- 0.9.7-1 | Oct 19th 2011 [Fix] bt.rules and associated import of deny_hosts now loads into FW before allow rules [Fix] added stricter checking of local addresses in the trust system [Fix] if wget disappears while remote rules are being fetched it can cause apf @@ -59,8 +70,7 @@ [Change] set DLIST_RESERVED=1 to force reserved.networks updating; does not change value of BLK_RESNET -- 9.6 -(rev:5) +- 0.9.6-5 | Mar 13 2009 [Change] refresh function now stores old rules in temporary chain while new rules load, temporary chain is cleared upon completion of function [Change] renamed drop list related functions for better consistency @@ -72,23 +82,15 @@ [Fix] issue with cli_trust_remove() was not deleting trust rules in all situations -(rev:4) +- 0.9.6-4 | Aug 25th 2008 [Change] install.sh will now check against init.d and rc.d/init.d and as a last resort set apf to start from /etc/rc.local [Fix] changed the cron.daily entry to use /etc/apf/apf instead of init script [Fix] Ubntu Linux has changed default pointer of /bin/sh to /bin/dash instead of the traditional /bin/bash, as such for POSIX standards and compat. reasons, all internal pointers to /bin/sh have been updated to /bin/bash -[New] Versioning scheme changed as follows: - - RELEASE#.VERSION#-REVISION# - - 0.9.6-3 becomes 9.6-4 - - 5 revisions per version cycle - - 10 versions per release cycle - - The old versioning scheme had no real value and had become a never - ending release tree -- 0.9.6 -(rev:3) +- 0.9.6-3 | Feb 12th 2008 [Fix] the cli_trust_remove() function was not checking global trust rules before passing allow/deny addresses onto the firewall which caused conflicting trust data if the same address was present in more than @@ -145,7 +147,7 @@ [Change] reserved.networks file now dynamically updated on the r-fx server daily from http://www.iana.org/assignments/ipv4-address-space -(rev:2) +- 0.9.6-2 | Jun 10th 2007 [New] added Reactive Address Blocking (RAB), see conf.apf RAB section for detailed information [Change] removed BLK_P2P variable, BLK_P2P_PORTS now self activating string @@ -238,7 +240,7 @@ [Change] replace the common drop var CDPORTS with BLK_PORTS, conf.apf updated [Fix] added the missing LOG_DROP/LOG_ACCEPT log prefix onto LD/LA chain targets -(rev:1) +- 0.9.6-1 | Jan 16th 2007 [New] added unban() function with -u|--unban run flag to unban hosts and remove from rule files/active running firewall [Change] changed RESV_DNS to default enabled @@ -313,8 +315,7 @@ 058/8 Apr 04 APNIC 059/8 Apr 04 APNIC -- 0.9.5 -(rev:1) +- 0.9.5-1 | Feb 19th 2005 [Fix] removed default drop of 124-126/8 in reserved.networks 124/8 Jan 05 APNIC 125/8 Jan 05 APNIC @@ -331,8 +332,7 @@ previous install; also copy's trust rules and conf.antidos [Fix] modified RESV_DNS option to ignore # characters in /etc/resolv.conf -- 0.9.4 -(rev:8) +- 0.9.4-8 | Jan 24th 2005 [New] added filter rules for edonky,kazaa,morpheus; recent php-injection exploits install p2p pirating clients [Change] removed UID 0 checks from firewall/apf script, irrelivent as perms @@ -342,7 +342,7 @@ external/maintained ban list [Change] modified install.sh to symlink apf.bk.$UTIME too /etc/apf.bk.last/ -(rev:7) +- 0.9.4-7 | Jan 2nd 2005 [New] added SYSCTL_CONNTRACK var to conf.apf; relative to ip_conntrack_max [Fix] removed default drop of 085-088/8 in reserved.networks 071/8 Aug 04 ARIN (whois.arin.net) @@ -352,11 +352,11 @@ 087/8 Apr 04 RIPE NCC (whois.ripe.net) 088/8 Apr 04 RIPE NCC (whois.ripe.net) -(rev:6) +- 0.9.4-6 | Sep 1st 2004 [Fix] cports.common, EGF_UID; error in multi-port routine [Change] modified conf.antidos default values -(rev:5) +- 0.9.4-5 | Jul 28th 2004 [Change] revised all log chains that did not conform too the DROP_LOG toggle [Change] revised invalid tcp flag order drop rules; into IN/OUT_SANITY chain [Change] merged ingress nmap style scan drop rules; into IN_SANITY chain @@ -370,13 +370,11 @@ between 'ip' & 'ifconfig' [Fix] vnetgen.def referenced invalid storage variable for ip information -(rev:4) +- 0.9.4-3 | Jun 1st 2004 [Fix] removed default drop of 70/8 in reserved.networks 070/8 Jan 04 ARIN (whois.arin.net) [Fix] fixed outgoing traceroute requests [New] added uid-match egress filtering routine - -(rev:3) [Fix] invalid wildcard destination address when EN_VNET=0 for cports routine [Fix] sysctl.rules output redirected to /dev/null [Fix] missing '"' (SYSCTL_ROUTE="0) in conf.apf @@ -385,7 +383,7 @@ created an independent log/reject chain for forign MAC addresses. [New] added LGATE_LOG option to toggle forign gateway mac logging -(rev:2) +- 0.9.4-2 | Mar 3rd 2004 [Change] updated ad/tlog; structure cleanup [Change] revised ignore facility for antidos [Fix] corrected protocol missing error in untrusted name server drop chain @@ -407,8 +405,6 @@ [New] added SYSCTL_TCP SYSCTL_SYN SYSCTL_ROUTE SYSCTL_LOGMARTIANS SYSCTL_ECN SYSCTL_SYNCOOKIES SYSCTL_OVERFLOW vars to conf.apf for sysctl seperation. [Change] revised DEVM so when enabled; log and output warnings are issued. - -(rev:1) [Fix] modified internals.conf and vnetgen script to be explicit for ipv4 only with ip-fetch routines [New] added multiple interface support with seperation of trusted and untrusted @@ -419,8 +415,7 @@ using EXLOG var in conf.apf [Fix] DET_SF routine was not parsing ignore file while fetching syn info. -- 0.9.3 -(rev:5) +- 0.9.3-5 | Feb 11th 2004 [New] added tlog script to antidos; track log length; instead of 'tail -n' [New] added lockfile feature to antidos [Fix] added cl_cports function to clear any set cport values between rule files @@ -432,7 +427,7 @@ [Change] revised default drop policy rules [New] added RESV_DNS var to conf.apf for dns discovery routine -(rev:4) +- 0.9.3-4 | Jan 21st 2004 [Change] removed fwmark preroute rules [Change] oversight typo in deny_hosts.rules [Change] reformated sysctl.conf; added GEN_SYSCTL & HARDEN_SYSCTL to conf.apf @@ -444,18 +439,14 @@ internal function to execute bandmin on start sequence [Change] added check-routines to --status for pico, nano and vi as editor -(rev:3) +- 0.9.3-2 | Jan 2nd 2004 [Fix] corrected ip mask in private.networks file; 128.66.0.0/8 -> /16 - -(rev:2) [Fix] attempted fix of certian state connection fixes [Fix] misplaced '-i $IF' statment in certian rules; results 'lo' if being logged [Change] enforced log chains against $IF device [Fix] error in EG_ICMP_TYPES routine; failed to check if EGF is set [Change] modified default CDPORTS [Change] more sanity checks added to bd.rules; for smurf style attacks - -(rev:1) [Change] trimmed down firewall code, refined rules, removed duplicate rules [Fix] revised help() output [Fix] typo in the accepted cli arguments for stop & start @@ -489,16 +480,13 @@ [Change] added more module error checking [Change] revised antidos logging format; syslog style -- 0.9.2 -(rev:11) +- 0.9.2-10 | Dec 15th 2003 [Change] added tcp port 43 to default EG_TCP_CPORTS options for whois [Fix]: removed default drop rules for the following three 8-bit ipv4 blocks 060/8 Apr 03 APNIC (whois.apnic.net) 221/8 Jul 02 APNIC (whois.apnic.net) 222/8 Feb 03 APNIC (whois.apnic.net) [Fix] deprecated TCP_CPORTS option in ident routine - -(rev:10) [Change] exported trust routines to internals/trust.common [Change] moved main.common file to internals/ path [Change] moved internals.conf to internals/ path @@ -524,46 +512,36 @@ rather than old format of /etc/apf.bk$$ [Change] removed deprecated option FWRST; antidos -(rev:9) +- 0.9.2-8 | Nov 13th 2003 [Fix] corrected packet flag sanity checks; ACK,PSH+established issues [Change] set sysctl hook for martian sources to zero (0) value default (off) [Change] set use of reset chain for certian protocol abuses; as opposed to drop - -(rev:8) [Change] revised log chain routines; more descriptive prefixes [Fix] added egress log chain for default drops [Change] revised chain pattern file for antidos; conform to new prefixes [Change] rewrite to log chain routines; code cleanup - -(rev:7) [Fix] added PATH definition to vnetgen; fix file not found errors [Fix] made ipt_state & ipt_multiport required modules; fix lockup on init [Fix] modified routines to reload apf [if new bans] after ad() func.; antidos [Change] resorted configuration files setup to be more friendly [Change] more syn-flood routine changes and again tweaked default values [Change] README.antidos definition changes for conf.antidos vars - -(rev:6) [New] added syn-flood trigger ports option; antidos [Fix] revised syn-flood routine to prevent false positives; antidos [Change] revised config defaults; antidos -(rev:5) +- 0.9.2-4 | Sep 6th 2003 [Fix] DET_SF error setting val SRC; antidos [Fix] usr.msg syntax error; antidos [Change] revised config defaults, comments and ordering; antidos [Fix] DET_SF error setting DST; antidos [Fix] line-break errors in usr/arin.msg [Change] permissions enforced on new files from last few releases - -(rev:4) [New] syn-flood detection routine created; antidos [Change] defaults changed in conf.antidos and new syn-flood options added; antidos [Change] revised README.antidos to reflext new options and config vars [Change] removed apf-m dialog menu system; implamentation will be made in 0.9.2 or later [Fix] revised validation routine to prevent duplicate emails; antidos - -(rev:3) [New] APF-M v0.2; apf-manager is a dialog menu based manager for APF; addon [Change] revised install script to detect ncurses and install apf-m [Change] reordered bt.rules and purged duplicate entries @@ -571,13 +549,9 @@ [Fix] permissions issue with install script for addon package apf-m [Fix] syntax error in rewrite routine for edit_apf.menu; apf-m [Fix] port zero drop chain - invalid flow order - -(rev:2) [Fix] outbound highport routine; syntax error [New] outbound udp dns routine [Fix] /tmp temp file creation cleanup fix for dshield block.txt parsing - -(rev:1) [Fix] corrected vnet common ports insertion; error prevented proper completion [Change] increased firewall init logging [Fix] added EGF value check before EG_*_CPORTS is loaded @@ -586,95 +560,57 @@ [Fix] corrected VNET var issue in vnet.common [Change] revised apf.init to log stop sequences -- 0.9.1: -(rev:10) +- 0.9.1 | Aug 14th 2003: [New] 'addons/' directory added to apf base path [New] dshield client parser/reporter with install script placed in addons/ path - -(rev:9) [Change] modified README file to conform with new conf.apf options [New] toggle for egress filtering in conf.apf - -(rev:8) [Change] modified main.common structure to conform with new CPORTS setup [Change] more commenting changes to conf.apf for new CPORTS setup [Change] egress specific highport fixes added - -(rev:7) [Change] modified CPORTS structure and conf.apf ordering of cports [Change] modified highport connection fixes to conform with new CPORTS setup [New] egress (outbound) filtering & common ports option added - -(rev:6) [New] LRATE var added to conf.apf for log rate limiting - -(rev:5) [New] added monolithic kernel toggle to conf.apf for disabling lkm checks [Change] modified default ignore ports; antidos [Change] modified attack IP/8 comparison to /16; antidos - -(rev:4) [Fix] bcast syntax error in main firewall script [Change] increased drop chain log limit - -(rev:3) [Change] reordered bt.rules entries [Change] modified default trust syntax to set bidirectional rules [Change] modified high port connection fixes for UDP - -(rev:2) [Change] modified log prefix strings in bt.rules; conform to apf log style [Fix] corrected tcp flag sanity check to be bidirectional - -(rev:1) [Change] modified README file to further explain rules setup -- 0.9: -(rev:10) +- 0.9 | Aug 1st 2003: [Change] export udp/tcp.rules to central main.rules [Change] exported CPORTS routine for main adapter to main.common - -(rev:9) [New] added logrotate.d check routine/rotate script for apf log files [New] added fragmented udp drop for input/output - -(rev:8) [Change] modified app. name output to log files - -(rev:7) [New] added port zero drop routine for input/output [New] added version/revision tagging to /etc/apf/VERSION [New] added vnetgen execution after install completion [Change] modified README feature list - -(rev:6) [Fix] CPORTS load routine, syntax error in tcp.rules [Change] exported CPORTS routine for vnet rules to vnet.common [Change] modified default vnet template - -(rev:5) [Fix] more tweaks to established ftp check in LP_SNORT; antidos [Change] text formating changes to usr.msg/arin.msg; antidos [Change] removed IPTSNORT feature; modified all relivent files [Change] removed ICMP/FTP packet rate limiting; modified all relivent files - -(rev:4) [Change] modified default udp/tcp drop log prefix [Change] modified default apf cmdline output; more verbose - -(rev:3) [Change] tweaks to the ident reject chain - -(rev:2) [Fix] tcp high port connection fixes - -(rev:1) [Change] modified noncrit.ports default values; antidos [Change] modified arin.msg to note 'whois' server in dynamic fashion; antidos [Fix] usr.msg/arin.msg log tail showing null output in some situations; antidos [Change] modified usr.msg to note whois contact for src attack host; antidos -- 0.8.7: +- 0.8.7 | Jul 26th 2003: [Fix] fixed ml() in main firewall script to properly exit on failed module loads [Change] added comments to conf.apf and README regarding ipt_string.o module [Fix] fixed stdout redirect for trust files to log file @@ -697,7 +633,7 @@ [Fix] suppresed main.vnet error output if no aliased ip's found [Fix] corrected source include path for main.vnet dynamic entries -- 0.8.6: +- 0.8.6 | Jun 20th 2003: [Change] revised vnetgen.def and main.vnet [Change] removed routable network from default drop routes [Change] trust files revised, new syntax support for proto,flow,port,ip @@ -710,7 +646,7 @@ [New] added check routine for bandmin/load badmin ipt rules [Change] revised dns UDP fix in udp.rules -- 0.8.5: +- 0.8.5 | Jun 4th 2003: [New] added default TCP log chain [Change] updated chains table for antidos [Change] added common irc proxy probed ports to antidos ignore file @@ -731,7 +667,7 @@ [Fix] fixed log creation vars [Change] changed drop_hosts.rules to deny_hosts.rules -- 0.8.4: +- 0.8.4 | May 27th 2003: [Change] moved default policy for udp to bottom of main firewall script [Change] removed header comments from vnetgen.def [New] added ipt_string.o verification check before loading iptsnort rules @@ -742,7 +678,7 @@ [Fix] revised DEVM feature to write directly to crontab; cron.d proved unreliable [Change] revised install.sh -- 0.8.3: +- 0.8.3 | May 20th 2003: [New] added prelog.rules file; for addition of log chains [Fix] fixed preroute.rules and invalid APF log pointer [Change] disabled ICMP type 8, inbound; by default @@ -759,7 +695,7 @@ [Change] revised README, and install.sh to meet needs of DEVM feature [Fix] fixed cleanup issue with ds_hosts.rules file -- 0.8.2: +- 0.8.2 | May 2nd 2003: [Change] revised vnet system [Change] made TCP_CPORTS/UDP_CPORTS into for loop; 15+ ports support [Change] revised conf.apf @@ -768,7 +704,7 @@ [Change] readme file changes [Change] revised install.sh -- 0.8.1: +- 0.8.1 | Apr 12th 2003: [Fix] fixed issues with vnetgen and the adapter variable [Change] changed cron.hourly job to use the init script [Change] reimplamented antidos system with snort portscan.log support @@ -780,5 +716,5 @@ [New] added iptables based rules for snort signatures; using string match rules [Fix] removed errored private network ban in main firewall script; was banning valid networks -- 0.8: +- 0.8 | Mar 10th 2003: [New] first public release of APF, formerly known as FWMGR diff --git a/README b/README index 103c5ea..e658cdd 100644 --- a/README +++ b/README @@ -1,7 +1,6 @@ -[disclaimer: work in progress still] -APF (Advanced Policy Firewall) - 9.7 [apf@r-fx.org] - Copyright (C) 2002-2011, R-fx Networks - Copyright (C) 2011, Ryan MacDonald +Advanced Policy Firewall (APF) v1.7.5 + (C) 2002-2014, R-fx Networks + (C) 2014, Ryan MacDonald This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/apf.init b/apf.init index 85ef225..fb4f90a 100755 --- a/apf.init +++ b/apf.init @@ -1,7 +1,12 @@ #!/bin/bash ## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # chkconfig: 345 55 25 -# description: Advanced Policy Firewall +# description: Advanced Policy Firewall (APF); iptables firewall wrapper # # source function library diff --git a/cron.daily b/cron.daily index 3a98ca8..39ed4e2 100644 --- a/cron.daily +++ b/cron.daily @@ -1,4 +1,2 @@ #!/bin/bash -/etc/apf/apf -f >> /dev/null 2>&1 -/etc/apf/apf -s >> /dev/null 2>&1 - +/etc/init.d/apf restart >> /dev/null 2>&1 diff --git a/files/VERSION b/files/VERSION index ee988de..8318b50 100644 --- a/files/VERSION +++ b/files/VERSION @@ -1 +1 @@ -version: 9.7-3 +version: 1.7.5 diff --git a/files/apf b/files/apf index d4f2ee3..401c936 100755 --- a/files/apf +++ b/files/apf @@ -1,32 +1,19 @@ #!/bin/bash # -# APF 9.7-3 [apf@r-fx.org] -### -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -### +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # -VER="9.7-3" +VER="1.7.5" CNF="/etc/apf/conf.apf" head() { echo "Advanced Policy Firewall (APF) v$VER " -echo " Copyright (C) 2002-2012, R-fx Networks " -echo " Copyright (C) 2012, Ryan MacDonald " +echo " Copyright (C) 2002-2014, R-fx Networks " +echo " Copyright (C) 2014, Ryan MacDonald " echo "This program may be freely redistributed under the terms of the GNU GPL" echo "" } diff --git a/files/conf.apf b/files/conf.apf index 7bb1c72..b17328b 100644 --- a/files/conf.apf +++ b/files/conf.apf @@ -1,15 +1,14 @@ #!/bin/bash # -# APF 9.7 [apf@r-fx.org] -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# This program may be freely redistributed under the terms of the GNU GPL -# +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # NOTE: This file should be edited with word/line wrapping off, -# if your using pico/nano please start it with the -w switch -# (e.g: pico -w filename) -# NOTE: All options in this file are integer values unless otherwise -# indicated. This means value of 0 = disabled and 1 = enabled. +# if your using pico/nano please start use the -w switch +# (e.g: nano -w filename) ## # [Main] diff --git a/files/extras/dshield/README b/files/extras/dshield/README deleted file mode 100644 index 0ba5866..0000000 --- a/files/extras/dshield/README +++ /dev/null @@ -1,10 +0,0 @@ -Running the provided install script will setup the dshield client to parse APF -iptable logs daily and submit a summary report to dshield.org for inclusion -into global attack trends. This feature is directly related to the dsheild drop -list as such list is possible by providing the dshield.org site with live world -firewall event logs. - -Simply execute the install script and a preconfigured setup of dshield's python -client will be installed; as well, a cronjob will be placed in: -/etc/cron.daily/ds - diff --git a/files/extras/dshield/cron.ds b/files/extras/dshield/cron.ds deleted file mode 100644 index 089a693..0000000 --- a/files/extras/dshield/cron.ds +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -/usr/local/sbin/dshield >> /dev/null 2>&1 diff --git a/files/extras/dshield/dshield-3.2.tar.gz b/files/extras/dshield/dshield-3.2.tar.gz deleted file mode 100644 index 43f1155accfea8451d069d5f75c9330d1dd55083..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 29866 zcmV(pK=8jGiwFSrV@y8)1LQkvciT3y{p??XI-5gjE7OvlCcSFhRO>jgdi=VU+?;IU zlS7e^#F_%R0BA+s?SH>B1Aq@vR^0CGep#KI7z77{!C){i3?nsE#X_j&L6GkD+Y9UdNj#lHPBiE_VO=|D2}RS+#=u?0@1 zss2yU^B?|2cK_|)KV^i z|C6uTey-&HBo_Nz+_P+@=c(A)dBS#Ik4Pl^Y_$uIRzUnz&e%w#Qg>J&B6b#w{4BFzOd5vQ_7v9r|7Wz< zjLT#NgJ~kIc|^-NPP3JaXLHS3VH=m;>)`(f?1U#_%Fg&AQ?a;XEsoELef)8@`0NX= z+km0|!^s9Bl6=XoefASEt!26Qqly=Kq66VaD-j8Wt7{V#<9V!*#+eKj44PBPIaBFW zF9XTHXR9=4A@Eo7C|0o0Nv=7IwPiDmU!+kyU13))A})zvn#+Y^>69McUfi&^TyPmA z>?)rmaR^%wa-lek4q$HVQ*+?fWJLqsAO#~!0eh1I-ay0Ve9w3c?+`YSC^v`pRo}~qL6(L^OgjAkpcrF zuJMqVHRI5^)>(glf4N-xGm)bt>?dZB+Mi{KuRm)f3MNifKHf z!zVjz8Yes!Sq?{k#x<}Sc&|DjCmp618WuZ&2JlnN;O`3F=y(C|G>9<{?XYYab>IMn zLBdhP*h!G=^VR5o&rq;(cy*&VJx3FE#CChTJ6f*#J1FmVgndh0c2nVBDv}it^N&21 zMzW&GQpTFM+SRct4ez+#;h#gEX*Q(J6Dd<^W~k5I-33-euqJr${tX@G?Svo-LL-_| zt$I67tf3old2A<1#jMi#6pr)p&!awj3fz3E+8%q#TK2u;wXcBlx?~5D=L#PG>HQQ4ukUqxUWa*a_ypSr*gg*=whysA$f*6y^slh}Ew+EkY3y^; zPO$xg;PV-_zr*&3XW0H9Y+r^N+PyBeFVcH#)4Z>Fi0uRKw;ehdn$D>aNT>MWs7p_| zPQ|qbUMe4?%)Dc1j`~}ts0=tmx1ht8^EjL{1?L}3#)K1l1rNXkpe6#2i zeTnb}515siQ9^KX-~rC=6EIu^2YMLIkrDqLQ71!o>b5SUqD* zKyTn1GL`;LJS|pW7zbM^l21t>X0e#2UfUd9^UjAYGc613pB;Z1oSnfK&nSYVl*-?z z19=%E>p@M=cnfTD@6h7JAOFllWC$t*JNAP`U7^CwHu&55<;5pBtG57ePvWnj{*o4) zW)Q-I_AVac7&f6@o1&O!hbM~n*GM%D(998^q6;Kimcm^WOb>QJYR{QQYvDSC5{w&& z9B@1(OFGR(h&EDzYQypN;2XoKcC1dtvjK)oTG`DrpI%rfpa*0z`eYxSf}Pg1C#mj| zi(oNOH8@~9K%|=0)C+8d>8q$0+gGTU5-I*NV6kSqH$w6-1(HduIBIksly8j3*Way; zkX+|d6kX9oFESAlg?E+{Isb zh<0KZyn*w<7#z{l;mO%+b~8G;9=--6z{Y>a|9?KY9t|%qu=!MxNZH-^;Gvp|BM&S= z(S;}KSL`u%sN>usJ1xHULy+LRR@;dH?y&J@(fnIYIWvY_HIEX9As-BQrtEFsI`f-Qc`W^I1-oN94;0(G(S{Iwqpy#R8mL@DGz!2efY(0L$3h ztG8@H&bi>|$cG_Use-d`I4hBl)H$y zYJ2F=v}+@cJb`zQBGnwM{L4?r*C&H!D9LB=cV|G&|Kx@!uqFps{r>JG4xw3KszOAZhu=?Wx>_EYk# zh;YHD2bUN8Mzl$w=s|Z+!EaLNWtNoF;o<1{)Xvf$S%h7{m5C>xMnrH+wb4R7^?Orr zO2Sk`;2P2sEoWb~o%~ma&<5DkVJYm`0mY*kwV70q>sdCdP+HfcR)GQAwyI8x6}ekc zdX>@beq$FwN8f{4Is#57F>tJ9HDfuhj=!!D9*+fQZw#Z;xBz3)+6YE-)%Wc8kh@hD zNaWDk8H^iE-8o5gMNrGrRv^YKiB7%SVtjK=R*~WFi4BB6#L&?T!1x9jT9=YurGATQ z$Da$k3KQ8-I+l<%fch5xffI9)8rcSiE*Bu#lN{8%^nEb@#&4=SE!Kb9-MvOj=Uf}g z8-*12l07p?C**aQE*99vIXc#fP$tDh%jVM{PqZ>_jg1v7Qp{=)Q7~K0?J8MWSQQt* zI*-hVm+d@aR*!tx)a4NvNM-Tvw^Rj(*2*zi_F4w^womF@{_pj`SBi3yW^uF=fH+4Uo zUZJB6FT8%Y>us5L)4;=Wpk?T5v$eG?dBQI3=3?RpVmgTa-~i!9!MPU2lVZxP zPKQ#k+P3R$M&@XoBD`0#amLt`z})EA7cP<3>QX>Cw zg=Q-s`@IT;kCwLe!Q1CL+(!jn4y2fbi~Crn;)8d3d42+B9rSGjtZd)f*)dOJR)Vgu zU6T(IQy6pnRns+KJS;)ZI=9;XJW!ut5anaq{nE>TN6gtY2ADUMSjL4g?(ai+oF>hc zll^bgUBUGy(7r`_N-v0j<~+%4hWthaGw_VbBCnJm$l3jeF6}P+aCtQzUS5oD@g;ac zAH|MUhQNWpvOU=Fy*)B1jJ>44KUlixUdOx%qDVqa&RT&2muMC%&Cw|eboB09E^hG%#R5?n8@5IgW($nxt$wWDi{fSnq0Ygv zD=!%7jP2!!%$Q#GGL9T3x4!BPq=jmUd@C2554iFG278 zOQb}V$?onKDPsp?uY@au?H%sc!4_tHFsZ%T$mU=JQ;ytAap}gVU@x5tPJxsM zz&Z}VwSnCP4`q=h9Q_8|+~E~7LrKXKK7shaFF*{iFFjb&fx)R|AQWCg!tRb?6+PO7 z?4V<>6B9z|_7Yn zU5Mz=-DB%N#YHWarTcVP8B(lxG6nRoF_V?k5AHxH#E5<`5{SNTjlj|Q_zF)z7GlVIgRpk=lw-LO#Abn@8f>bmwnOqIyR?ugt;sw;jY%wu&or+yxv|&9+7<@TkfqT?u&4QUSdE(v1lc6UO_jn zp`(pzZ%TLD_@ed(#fyKAb*sG@_s=!lZu2*ycNe0S%A4Oc)&2TZBwPw+LncZl{kaqjd>j*#=Q3D3aRt|0 za=&)y(2sU3Fn@11-UY2)7huVlhsAJIFv0cL<)zSOsqPiE8)dD4O(fnHcTv?>n4r6L zB^eKlX~37HTe2@f2Vp5CBAKM%;9=#8am(q#!n)QNZlclIc?{h)dq~7pJ1KLwp;yoC zg%TztOA4EppVgyUov@N6-N36N)7o5p#oZRE*ds@zWBI`fr(R_|gb0F1Th{-C1;6y! zDVJ36Wedbyg&NvyD)=hO&si zV;1Ssw>WsxXRRUNhUibx{17<1BDE+rqkxtOH=7D{3hJthd52&anVRxAGYpH$Ua_I6 z&Rud3){D&6K|+fQCTU(>3WVMvp9JBZD$6@!i*Fvt2$&RN`iF4WN%8&adfxFQ>6DSJ zWw3)a>_KiB91GxIFykn;VZ!ZYkD-VQ+!efc1J>9wEh=;Cw_#aWWp!6h1O6ywTLABL zN`(k2t>7X!EY33jB~;643%}wN!h#huuG#SX^wO>7X3?RIRJk-|epKTP5)xrTV8S&P zOH*))I|v@54u7nITGKjTB(NCr#|SKkZ_yy9=@R5=d^#M_;hqM{B+Nj- zU$NF`$-#^?7gJnLnAMbn&Tk=b8At)ee~VGWxxOquu1GGSDPAbD*3CfxUmd# zO>|4HM}vs9LWk~deF06vFYd8e@Nwt}P{EU(wue_y<{&JnJ#wQEA5-45F|k&tP*Kxnt!pa%~FX*a5p zCVe*SeRuJy2Dj#i)?LlbTkNC`OY*@bS=&0ddOC)bfR4=EBwoJfP9=G(?FKCkH+5Wz zzd=oV+J@g%=k$X|H5}xhP^-MN!O9d<@>{DRq3)v4mnvc!ex!cP|2RP({q zJjgOGFe@SXuAB5SvtPZqqznL3QMk|&=qg#*P4JRe~B$@AvMc`{!=m`~MMU=#6%Ah$I> zpX035hZBC{lzKlZ0m@#dWX&R6Z>46d7-N=F@VKnXWr4;bLOe~BSatCWSu1oV$&(e4 zEA=+g2wF;2)U!Px_vVb}n!( zW(yOcnxSGQJ%!(2^soR^6Tbsc4m12>Bsb+@w0YKX=5*fyXVZDSy7#Ocg(JAO7WE>u{eP4&swy+(Rgq@9-oc8HbJ;gDjX!Hkt}=G zAU2YP;ASP&WXFTPVbf=-tL}o{Vv8DhIvbFz7iBilw3|{_5#@(#4mVT(IFoN~wp~D5 zn2XANN$IsY(*YZ^y9rl|6ouP6^!O)j`sT6r^-u2`@bl;v1Vn|7^+sf9j(lc43T3`2 zv`z&Dd`6)_Aeb()K;XS^`Mq1A>IdaTkkK2oA}SUwT$_!t@_ID|+t-G{KPk#3Fx3d94);6X(0P>?_77n1yr zK9!mPn<_~YN(>az@{c^#9P3V6=EHGHR^gYp1_P=5ZCvTHKy9``r*50__e@uQ!2{h|<~HRjd6`eKQ?;x} z^!#txRKku#|JUBTwzqLy>7x0Xe)f;(P?-mS1%L!El1)ptAquiEp-2u%S<$vV+D)KI zb_Ad?Xh0N`@%im%z3Wm{-2f;lah!eT2s5!Hpu6t1?(1D6b(*`e=wI%~8)qW;+Gt2E znYFrCw2S+aS%oj%FrAdV!fDX32|F?T*+Ja-^5ItOJopOf>dOGO>r;>i%}w0Z&R-D)>KT;?3B&t1z!uSNALIrzEDA~xZ+l5BhLE& zyZ89thO+W%c(_XE__+@GpVnoRPUPDVvVQj| zE9z<5Cobv765fwl06SEnd=#v~-y?{wU8Yq$)}3DfsfOx>J%V-|g4v3$%B+6GgM=xaBrB$!W9 z3vs$9P7i4s(uw%MF92bJ2(!D+sL}#VVq@uK?(FS;{K@>-g$~y8({A=klS&(X8!7iT zHkX7<)DiIxwXji)kyq$3J;Ue9 zxtQP&n1JO^v$>tozlu=KqtlkSXf*+^d6x}MN%+_#Ih`U}$FQ|+zHrudl_Z)swGjx* zD$o|iVyvnn;`h}{>rju>G9{oav&BT?#_1-Tb;{my!uJjR=(tVYe&(!da2cEpwp4|= z3y_%U#!siCTQ$1T7vIVWSdn7z80a$)bEY?oYzVoB{*J#j8b9v+T$-exVPHhV3~5fA zz)(P>AqIs=Pa3`qoEFSNYy`Qb)zZ{q{`&>=bA$@#Eh2{Fblkd0X4s9|YLAUO8A}^& zI}_}0sqYQ$Ps7Yw*jpI3d3XJD&E@viIIQ42U)PmP(}ys&E{E|}t=yAq*8E&dcVv)o zQ??ilYJh<*OL4(+EDH(^%gEoqYax=^7?I5_wIm{F7y+oQmQ&aQ@p0t>dFjBeZ6HhD zxiahp=I#)dQEA^dX6I*`O;gF{mqiMnuHDp{@zzK05t?dC9&QcHd&MckOAW79ktTsV zCa4bPPsV_55@M5l4>f=nSYO$M6j~dM^|!PgN_X&{P(cPr6RFXYOH8Ni|11$j`}oA+ za1%aAZ|9^TN}yl;?DW8A{hrhJoUF^Fs(<3LOT4936YAS>S45d{K4!H~!XqamiSuP? zScrB(qR1c(8WW)yo_3-Z8Br=~l~f(*Nkc3p5i?k?K0dXQmN+6sv67Luay3YPnd+Bp87}lXk=gT(?NuR-DFD7r0?(w0;=C{f#&C&uETbigu z`w^3TgS?)3PJe{WqxF`w&MhnfDA5!Bz{H(?QucoQ_2mWVft03dQeAT?O!{C9!xCq4%`pEkjA{;5> zfi20AuRB5s{Gt@uI2+M=tzI1GZda!06QArR(D=CZZ@>L^V?Q48KjV#`embgHy6q?W z@7Lk`Ps{H=UH`uPME?zDK_uv1Dz;fnWpXuwk~uGpkk_hwMMwM{wYIf}`d((F{V37f zc(u`hfZtj{fL%lSm-}&N`^%4Mv-c@&KG^-3CSQI^lRMiV(`5IPX8zz~nmqZGCO>K^ zPd}x_k6OvIPigU^7V_CAEo5-O&+|OKNQR1`*`}*Gf0NAf3Eb(qg&?S-J99A&+%A!i zPLu!GmOpmnk6jPKA>5AXOsyRlB=8tL#ZlOGZm1DIdK7Q(!Zhu_-R5sQ56a)}@V8&G zP20ZP4caDRhH=p!+w#Yb{IN7Hrh4UZ3477L(9rU@(C+fM&`ot*=(A+{W8&J*ieYvI z%SMG}@UPT6I1m55;t4N3z0x7-n$X>ZYCOy5`Nb{ckX0JxhSjbj&!?*$o%al#mW176 zO2P%l$z~kOEzv~uLpgj#bBtFsW%#>S+$8t`oA1WS;F|dY-sXsl2{&?UhQo3zj6%S3 z8{{L=WD?HLOh^{9?_)`~7J;3?M_Tw<~g0yYm0jcKkmvbrc)qRFeAr8ET2()-0|PrTKb)(&E>{u`99QE zXGL49fXPa4wK@{I$di<;&a%L>@^vD|$4`$nUVcUJ|1gg&6m4(~U{mL|UT(=rR+tB)<5rW;{md9mFqq z!y$--%MDm0MelTO*^uvPA1kCj9-4^t zBws>acd|YGW2i!W_~+0G_9WK-v~nl!681;TSw}3wkC>Z5h+PRNqifPsDZuFfwv-7yCLr)B}9A@PNin54JH@R|)Vn2R{ zlyqjDHyl(*QpjA)-tm}Dpf<#y?~Dg51Yf`*n*l{I{AM}4%$bNsT{E)FCB35!rSIpn z#K8kg7z}#|M){nP{k>gET))mEXZkb4R!d_~(jptC8ve+cHo4h=5V<;`*L+fvncJ48 z*f!K5-Y79qDSjo?r6&KsD9F_#0l}=7ix2t5skS}k#;2=WpK|k4 zZhy)hOu2`tb}`jHrYkzpB|A;87SMgu_tTj~TB|ew@IZEjj8WA9-4{lY2OI;$+o-Kr zaRYC}gr$V>B3%F~0J`B))f}+FZQC76gQ}aQSLu7LZ!wet79&Xn^1B4Nm8(A_9!AptLL=}tiAUlC5NEe&`gblF7SO0$_17ZKEi(=bYYP zO!Q@AY&i|4r#K z|Lsfq`;Y$_|9oHTmF&muzilHfC#=Dhmm`N8Tp>u0_H zcuaqby9a;bKO0}X>K{Ele#QSd?VUZ|dXG_eThEf#B~7-@%k}f$c7CBp8!wl7&Z<54 z4_=(a=dVwC+T+3T(_VSlEB3IIsZ`m+0bADp!96@lpflm%?#En0Bd$N~9lieV)84=L z4$d3#PdE2t-5OaZ+q(VL|6VthFsG_C5B|Y?1b@dw`2GDK|MPD@-~Z`vb=uzlro++r z>6fLEwZ5r-^~c&rV2UrzvJVC>4uh+d)NWpU!#w9Z@uh zj<@;W_2ozw8oYaY1s=IB1GQ6D4y&rhB}6uftP^8^upU-2*pEd5*C<|0S+t|`K3G=h z?s*R)XGOYDJyGV=oUTBAwgOAaiVYa|wC<0oM>h3&wI%nU1ZS;!zR_3$3&sM}p_;bCLB!{7jHFIMaN zp`^)3iBC`9=c=uISftdGZ~`UOjVo|wFQguALYZe3_w~gzk z%9+&EkwLd`r|Z{G=Gc2rV;PXdJb-9jupUOYMquQ`zK~qp-iZplpC1+t^0A5DcgYX_`H$d*&Tg@6(y-pRsr9F>x(oi4 zyUkd6(EWzUYJ5nLtEyFZFB&~>OU7E)-2&I(*I6!Ws4P@8V@L|k_+c~tvKfE%&sagX zI#IZIq3p%!({_lfGVlS*b(s&eP2%AK+#{K%)y2|U50BN9#f{VY@HhCAQQ<_&dTa(R ze8+y*$86h@e@k=(tX%wWjXQ$9Oa86DKh@ur&^%TvmIu;K4dqwj&EO&76ODk#jqnyQ`4XX@Ay6$FxQ!80gY2hE>sjkV7Y>{tE zrD%wlh3^numv?GiFytyrvvX5?qJ??&c_YaKtthbIAxV>#Ec^hyBkSpOBnhYwky`a(YgUuIzyDotQr;E(qlWQ9 zL;Dl9xRqk+ozW4)cFW*0YghCboVcSrU^vS+3!pHxxd>Zo$A>B0N_zQGLpCjPB+36B zYr%0)ztUQul`^X1KfV(FxCW=%6;*}3zOqbK$4cO+@kE*2>UrJS*?JHxci7^(V_7nU z1IdPGc?(j^uf;F4zDA;PRx3-gR;H)JL5Lf7UcM;&>!WxJ5~Td&oA|-r-p=0NIkJm% zev=Z}l0;i>sVT|&MfNWJzmClmuKtY#_RImgU6?uSaxrPgN9m2Pc~64uPJ4T&z5CUDt^>jiYg3xaHv)L%;c@q= zr0E_WA9N4n#bgxR*@1)=krFcFAegod!?z^R@PbImr@crA3&x?;U?*^n5ln+Bt~3CjbnciKhcuNw>v+jeJ={7sAnwpQkFmOHmrlSGp(2SjaTV zE%kYFX+D!IK4X6GoeY%>KEIzSvGO{1BhVhh533oSWUx!tP?^&=NFcLWJ7s<4|!WL@x|7^Bp z=q}s>nG~G&K2B`?>11G&*=fo3<8eEXPsX+&1(V|p7gz||(aOne{51Jda7cdsX~Lxi zS|mCFN58XC-LY!v;sXzaw-jesVvQ9f>NWC?G-^lR@aPnuEg-m3aX}>9BIcl`o8-3A z3`3+06#7yQBzLnEy-kD|Ly0dRDu|mf0Haph}8&Y zQ?$+L?M72-iR#$iXhpQ}LfjRPeb@L@PE`?7S>Q-u0~V9){Ts*hmHjv4-*!rRm2KR| zTy`o$QIfU(aXT3<2UNm^K&TzWp~F5%f9(7mp1)MZ`Oenv?n>6q>_|bJ1=83TMd8pW z6*+|79N@REDMThsq(RpJV_8g*f-7*G8mp^}P2O+? zO1#wKvu9VI(yBzG+kAdIP1o*g7etVQ!mwU0n}3`P(~787S_>l~Ut^|A2Z7siC*|T+ zPMU|t2*&&=bBaFnfL%=-Jf)o}E3w|=AkIoN_kA{b+^#)aUw$@K9*Ce(4eUN~6k41reLJGunHU?~$!hLCqAhovJ-fHhqYlh#0%n6QQA8Gjv zZO7HWWIYrn66%#PaYYlu{mj_USR}V>B4`J%KTYSrmO$ba4fm%bhg1|QE}S-XbItSN zsMMeVCJ<5^-e0UA`DXoWS1VD#FwV3>52NHF9gRxsK`VB2d@fyeU!EVo=^q`O_FnXk z&f~g-x+9>H_NrWf89Q|I$K*0c6WcbMW2Tcp|z?HvQh&?L6%KF5dcehq3yz08)4y{|;#`lRKV+q2{+3&u{$s@oDc__vPXF&rx)b z=wUh}5~F3fAG2}lJ2oxB8WCwZ?Z@#ZN%)(i{AyF78;eNGWItY27CXAp}_B?OPH|K}U&-$demj;mmv6M<*kg4V z$Uo)37zjYR3IPa=?r9BQ8@3hZ4SJ)m_b&?|I{Z#RWGg+#eUNNo^-(Y z<B;x_R3d%Jm_7$^pBqQ{v2n+_xfmE z<8Fdq6k4!O>l1!W^Tzz@LwF15Z>8V(2l}p2**)teyJJvyZXYw3AG)Up&%3Af&Q>Fs z%3?NhzwF@``j-0dAD#71&&67x-T%-%eAzpT>++sA>@`2-9kt5Q->>KM>Hg;C&CN}F zV)!W#KQ=c$swuIwmD}O(TpR!DtNKs*82vY}WMTkZN#@t=;{)`c>ap&vI&_Ls^@mf=fGX19g_12x-$u=f)ASM|sC!Y7fs69@kXzYqNDX0* zogJQJXXnf2mpn`RFsgh}jPi@WsJEV`6Zohtk}{p>57B*jjSFfa3Y7j9-Io_&F&7I8 znhgW5xEo0GkaNB5Mb`hT?PjM#JMh&W{tQQl2Ga@f4BiZ8$@tB9xK}6IJEGxSrQ%Lj z*D(p#)#z~dAdOP?uRToBmTZ`Bs1n0A)6JmQSg^kzZ_xkU=S^=vf6+atTaQiON27h6 zz8_}Dg`JVf)It1&g@#B80^Rp~%|f1{7n|MJ1+KdXvvBkm4|@Vb2wA23?raFYbF848Uy<5v7+adnx!Z^nO! zkMcRm2tWSJe{u9V!OK#Sv>DeM@u~RJ;Om0RXs5j$*B{3JzL=zt5EZnc#UA`(Fe5ci zQNTzZDXukgUxK1I3QJ=6OOd;YOMliu)U$TlUIS*@Xtd*($SavICR|@uG5pm%c$3@~ zTGm(_V~|fe86=O*h6;sQDzHsM?46y!9N2wM%nhAN0`@4sy0T)|U&PNAr~yo0aqV6W zM}TY1LwqJ&?)Qd-h-9QSS*((Z%t?pTYEe6_`C!^A5R8mKVNS{C3U@_=SGg0{x4$Hr zd^Wf)t@Del$Pk|}ox!CXZ?NHF!@P?VGxJz7rJ_Kx1GXJ^3q==;HK?vx4(HORIeJYz z2#U%ju#;{r5K87^gv74m22jow(u3EIpJ+_J<$CEb6wgweq+E(2ZTiB?3F19cf!>ab z@sYkjE-hX*DF?HFQ~!B62F^|<2}?aFa|I@2>4 zei53YBQ3BuTXDTZm*!o{v53%^TXoqGxA=9e#)Yq}RTT&j8<2d9f8A=HaQb zsH`wro^#%`j0L}>_gq8hs|Cz;{HLiFDIAKCI@RJ>T4+$h@~j$bLkCJXe4B1KomxLc z>&=SXV)xG`){*^6gg2uVD?KIs7NzHGrUCgI(JED zDFq_UjU7%UdIm`qz{{zRNlIm?cZU()b)9oxoqGL_NLd(;IA7WlJBz?flWSpKrBa_E zO0qw`2&CY25WPf>HfYQ%=Q|_YfD1_(n*N2IUL6NUm=-Pt23gS(5r)tK&iB)9`xc;q zY=y&TK>I??N;~%>#KLoxllk1@tbBwOUob<-!XooElG8(!tFz-6gu5CXrz@dqpfsA< zAe5H9IX+8*DW@;qz4rX6k4tKMYjtt@r>|yLxWZWL&+ysdCaN))>-VmGJgj3Y$*Jq! zS_qmW>R`rP?H2y1(i2I%5f&*8qV67P+Rrx|R^QZ$y34e5Nsr$mA+*RP_k}ZPm7XH- z_G*^Q7uh^tEZrjHB~*7*>fU0W7UI&9!h%wPFE@-xR{+lsCoHfg$ugWM$a(wPlCR@R z;scP&WJ$3IS9INd5maL;lk|q|Q_im_Q&2$i7}c02i)qoc`Vuw;VK|sVv<*oGMy*bX zjBz;^Z5AW1Ex2+_jWG}s9=fF%ei6T%4mpHIL+MKdnXwm2F^d?yG;gv8_hOB`$R=2E zq98yhFh0Q_jJ5-w-<{6l&chOGKxcJE#C4(W4Yz_I-$Z{GbOde^PQTLBl%T+0Q1A2$iIxnC@G;qBt`t-w;p=I& z&$$$@i6=SH-*zxurq!ED6OFdhEq4UJt*7jnf$!R!e&`+w7x|%k`k4R0@mn^|Q;uaH z3Jl)V@&X;0YQ30}IQEBzi99cOs#3$atvk>KPOtQl#Fun`AoLZ$ST6i&1GOEe3L`v5 zyuU}DQ}LbUt~aB6{zjQA;_#4d@s`8z^4VJ&=RO_7PWwwch})%eNaA7MZnud7(WlK1 zE5zfFXh5;a zr!H*TPAre3)zYW|IR~x=ff76{ccpr_l=<=7=gJEfRbdcMnK^~GA#SH~4Lx94jUQ)vH zX%%u0Ed-&E#CT;=_HL_nosOnjfXcq?arlh#AV+wsyW7|z3$T&J)ZuyOuu}v`X_W9`bTHRZ2mwLW2ChtINLZw_zo%q zyZmEO6ZN=umK!B?ER~YHeDP2Rk`puO=KXMHRP#8`uR*J%{6{iI47AjK_Sv^>+w|A@ zLd)Zz;$+H|h*?PTtB+LhF@u{YNM=?aT5Q}7c*tAlG9y=8bhXrXG3otq=ijfpKKrVEh#w~gmjo$9y9}Ld>29*w($#Rkb zODzG<^I%It^9)_dC7pchM&1STJOh;%v}q(gJAPD01fgt-CX+fIr@H{Ph_6l)be)Iw zM#A3SAfwB6z?SKLKtbf3afb2KQa_NdiVNZmMV^-CKIg&>7BfD@w!Zu#QHZ!dH0N4KjTJI~=_ETG|6y9* zmLxtnK6%|g`krU0>mLq+5ygiRqA$?*46!o->=`D{Gv1XMi+JE@#<3@8O(~P^sGYTb ztYNvpaLIiYNN#jT8{IDL^Z|k*GZm>qwZNSvCIK2gK>IdaXv!c&AsIi(jfpcC9(nCC zd6$OL6I);8!~>74I%b+2j$Qc$lkV({{p_zUQ$$sPgevkhw`H0;rCAy^T_Dn6kQP9v zsGTBX*o1k<>P0ltL>G3hI@S-{he{yS5iy}-l8!2b{h0z>^S<~^pA`-=9n&(yt=V9K zO9zl8w?y_P%l^!xl}7nCNcJ=BTgW;WJf@rUul7xR{`~VlCI6pLoL{|m8l-B6)y5KPac$Zi<<< z^VL_t<2xYEEf6U6g9d&1})mTCwVc)`!Bk2ytUowbXuLAt%q^^@~j)hJupHoE63;vbFJCMf*wmQ z=D%b0{elJqRzGE%dagjKBVwPE!lxB${cdn;W>Ir9axuyfYi7Tf6*?i2YLJd zr)bBV@fnqe7TeI0DKSNHri{IrzkF^Ye{O*4=2mbb<=7^-R`Ec~9^G6cc|+is3Krxt zu>VLH8?RnHz|mfJMoW_$AgP0WUXd;KVRpg5RBL8tl1w9J zM5pGJB7||(Osod4s*QxPu@Z)&xw0!(S9}yAzE7}^DiAO9u$!#7ZZut2P>53$Us7chVsNZ5F3{4l zd1Nm_uw=|Cdlk?4x`uuj3@S!qPDV}hDACA-T?0H`TlcTkeXPyBg^FnH4s&%lDO?QS z>D=6(a&?&I31S(X-fk^t95pvE;DLk{U7&Z+Va>&QJWMBi)wL68i4kMyNEdJAC)g#S zVz3|Q+Ma4h=kiXe7t2~>a;G*a4O-0Du9g9tG-S&u9YV{pqS4A74Og;>5$W=iw4Pn! z`0`RbLu#<3dNu8dmCZ?^L|gJE?9;e*5u8jJ&sZ!MmuV_``WRSzT#iemcMHR1y5d)X z*A>@@!EoAg%lO^OaYj8+zF z49t!LI3ov8@uEA9xIjeB*_5Lrq$SV^$@RN%GE@LYK$~7uaf4muGp$Lb&v6*isBJRX z6#MUPF7qc;MDbBrxG0RvQHt%t4V2S1Fc&SPy>|4!q7RD8^y_)=^u<}+J$f1+93MUH zpZAZC&f;gsr)JS<#!vfa=coNAFYyyU_~Q6!|5^W_i!U(vEd|+JAu8!{i7-p{NUf>|ZB6fjT=ptX>tdmHqKTjgtnRp}YeFKtb z52RdghQ!5*kq6hLh&PCLY|usNqCmF@2)V8+1gmxTqBKeMEzKh@APYa9hHP#qtR?JSz3A}$|mW+ly9ggVw(5yRr*R42uF5pZI6$Yu+O+h_|>ijMENNy0D7 zf0 zJJB4b(fly^uSoV7@q(;jSgcP35I>PD4SHNqdwdIASIpTWjk>fUsxyI)? z9Ww|D_0H)q76gkZPbo0c#nL$VY+?aiv%z}N;^@s%)mDQ?ZiqSauM*WdcWj-%D}>cy zUKJ9k8_R9*dn|V6mrV`H_L35V?{Y5*R>97*0BGYb%!aNN9H4cQfU$lp)!i`B-7UQ_ zdWVMr-(_J=HZf1l60o6E0jdQzYcUCQLRm_jQT`D&Td-84!W`FWHPM3xSx8hLo7k9U zL*leEPzzQJ70--br%fS2>DKC@CzDCOAnL;YYhl6?Ef`X~cqPS?V0rywz3v12V(2eT zlfc~h&|4tma4$5x!Gf)8eB%SLKD7`GUTxkkZlQW%l#QmNk?}9i$7E$UkKbkKO@$_M zD_+8@yL8%pt*_)+_MBa8S!q*YLFFbKf~`9VviM>pn3R^hDMYM9fowL*5`spyxb3Vo z)^3pGZgvxXb}U8(w#iu>s-0Kv(_ar(MkB+={{_Ku{ebPc2PV(wmuDu<2>Z@FfZLP!tmm_lM499_s%qAF8i!Ws&k%Cw{nQwsGh zqe4-61;haC%^{-ai4b7IZ~;7^)Cm$1wsxl7n2@<(ZXxE7iMrWkTC?;jnGLx@0tA|C zy3%0NVjPny2Hs78k+S`L?g*x?6Eh}_ zOV_M8_^w#JiPHD!Ow?a9oN1AR`79r;T_5)Lw=?Dv ztyfoAC2Ll79+?M2$F687s>)hSASKRoy(H3*Os#kMXu)Y=5wf=O87Wpu)BXHJ_VrZg zVrKL&7@d$!KGV=rR&u$WyG8Zt6sn_#3MtIg#Gh@%6vep&ikb~vz*h}ddAx%EMrU^8 zIy{E$n5C$7LKG2$+~fW_NK-FAbq6Rp0C6Rom!c6F?5a{yc1$;eB&e1}jfnu|m5`?1 zdAqfNQQ;0rP`)KA1AYHbn5~x10x}rj!0u)(-JnFM7BJ$#N8(rxtm(I zge7azu~TG4a26Rifmked)OfXm1tca2w@nquRf3x25|qS>G&}TIFj5bfX$atc>C9wp zUAXYPHkk{{+H(ul6%TlHb#qGl;M09Rau3$8zs%(C*n`2k(-p+hg*q$Cr^=XlgM{~2 z{7`GA3>k&3X9@BvCqmCuj8V6(mO#=>qv*^aT}oOlS%IJMN4H8aF$ z!Xx^Om4yBP;l@wqFFwtjptkq$aWFeCZHX6 zDB;be`GnVnU3?PU&-OTY^CardOg&Dh4PUE6Z5MN)woGeu!5T<}eQNldFi!p=c|LTa zSvsxD3^C%jbd1xHh$aQdctd9xGYYn&B7=*CirX+NTXF^Wr<3{Ndfs-iYggx&(b0=a*n4A!Mth+6?0Lr81Ndz z@vfH{aEinbB<7kXvK&SxzlKsvNtTEdQapk5I)x#Z6)0u(M$Q9K1>Q^;m{7uL9zLGz;O`;gchXuOHf zn1z$>I=jd;fqRtPIPbkGip%qnc4o*>0y_GwIL6psQ4+8##{0S&7}pxv8)DpXfa!c{ zr2j;Xx}`mqVq$Pp!{TURMxWx?lM%b&N0mjas5lzx@SrVz6b|GU0p%`H{{u6ghd~XM z3#5m?;4E#KvyrsO9Lf5NM2g5IF540V2fvNW642&wXQykNp%y}+dpKDqQ$xv@c<(s4tDjEl#LKYlwKEJzx>QV~GG0&r-kv(k3 z{Yzo&Y)-Kpc(yPk&+7Rfm3r+ zqWX5RNP(&!oI)0cc^&y6;Ox{j{sohgQE^p88aS!T*0HD54dc@Y^`mPtS4rP>QMn^c zakt4`2D{Mg#}YEcns+7SLgSzCdT7(nRT?i4wR6ekLlz^trl~lK#DPIPxKCBt|rz<+r3J+_pHRAh_It zoM62W@e{E(=P;byIoQ<2G9k94`?YqmW3b-8nt zI1!O?R2rdq`81LSlfIg1i*pUb^a^%qi$&;fI{Rwma_)r1PbECVPXClm@>sAqe!=^g z<_NWRAvqD(|3K|7raIb+fiTGIy<{wKW3};lVx)tV z@Dmp=p=3}wp%CKhJY$*gymD*8W2)KlIrjqVJ_k76sFHX=%aFd43viJxb1UJh#e9i8 zvl8)T+nj4vJH@6(y;dlefWK(?1l$J}9LkCj&}2+I#aZ#E|Kiqrwn9B!XtWncmSTxO z6{@vj@F2#USW~_?r0QA|b?XDjw6M4Ad2-16V3A zc>9=Cfygg}kd8&69RPg_Xg6}56XC7_EhZs9pP@W45dkLX!4Q$dd+7{}>VCY)hf7fg zEWCWx=17>eq3BpCi@unp@3KO2xUuC3YPMR>k?#GPkaUp&AjRT3WvG-MpJ8rc8+>_i zFp0xwAnu&Gmd!F(DHe)nkoG9)5g4K5^>R&fu8+hdUbD*3g^QpRHwPU=4uNFh+HxpS ze~8OhCcK5T#|xS?=%PKLwZmO}sOiR5RJ{nmL`p?J118F(G6<+sPP+l(%>Z`R!ba0; zam=zUMkA;P<_)N2f!cz^%tL5{k|NO{KBcZ~gMFADjzhHKI4sTGJ2bT1=Bg#AILU5Z z3`=fuzP-ZPpeskSDknoim$up_JX#EDa63F;Ly0mW7Eb7I7=>D>|E_d{D?+u)AaBM} zMXqA%EEW*SSx7i95a*l`fWNW~pHkk8w3Lr?r?VsT z$AdX38*#5lMKID(eX7&Zar~-#dfGiYf6e>fX~$1`2VK;QIDg)YPfm}&KkdGV`)3vv z`!s%b+Uv!~&yZ$*`hBm7=T3WgB5VsWvOxp%)G`0N_vdr2K+rpV(LX<@)}FkMyC)~q zI9D?`?7pJa?EU$mcXE#6nMctvnt#=&@tmD^@k0M7es$VEM>;hcL?G^I|NH0X@$=)u zr@d2-*4?Du`NjC8dwSmQokcW`ANo(rliKK>(Xcn-SN-$n$1l&_;4!)G(d+n6{iCPN zxYy@~dVfAS?VZv5BWk<JpK|&-&*_)CI>EcV*-UFAuvkiI=A*$7em*Z?J^a2rc+&|Ljk3 z_bk$d{g0Pj*AT5Pweg~Rbif-`*+@(`etrBBT!ZF)_!JLB_5c>Dhl&@ygY*6mw7v8s zb#wOeMNilJ?3@?q@Gw5=9ng4DN#d+``a}N!>kysxPP%m%c*`D_P<0Z{!#YsRL-S6qNVKIY!k6!gr(}H%Wy7^6hg?{jx|C)}`ar~nD zS^~3Q>+zsry2$PFsh~sQPiObZG1lM-ji=AUqJdyRutiV1FS_6N&YF=s1l+X-lQ-kD zlioqU%N0Qm=;+a2AIhrGE&7j_*hTt68;QHLotPTVp>7%OAkNy6oe}E0dN1p~@5=eZ zxi~yN!(o%Eggj#U^GOd+pZ1Puz4$tH4-Q_QqM!&pfj4M0XD{ip^^bT{BFvX>bN}?I z-6vk>_*u7q`0{k=j8V_Ww1jAq&zjp1J7i~#CZB=0|BSjic&@t_mu~Ir_&IIGlO8?R zefmQmlt=oB=q{Y~bxn@71zkrbY@B>b^W*1N1n?vFACEkjFsUwUqhet_XZ}xLz6QYs zu8nfJ0w-8G;|gLI%xjXPm?7d= zRCT}<(9|$u_x9Kx=J-DLG2s{Wu^3(f2l7b88U*uFGNE}Ly?vDyM* zEKOgK?r{mM%|wEU5|@}zrS|bjip@{ z>DMQRNd)D5b-3rMOk*FJU6kZT7p=EmQ1Xcsl2~q?9C~LMw^A=hNjH||=l1Fa2wkzN zhFv47XRhmPLYIL1NO2G-G{)RPgp9#|?J_XbRmkSu5l0MKNGA!}XrjueX>mV-O`oM6 zR_~5wmUME?;^jKDI&~Pl@bah`^2M*YazvM17YC%eATR6XU2FcU*)B@1(}z( zr2FLT_>e@8!`GqM{52m5Jq=u7C;mU2x_YBvNLF>Zl1^@{hj~FdLO+5#S)vZyf+kWq zX?HOA>=K?|0Si&hJS zoHglUk%?Q^CH!j&iB6Uy^N@?okKm%@xAa=w(%xMxvc5e|XIz7lpK6eP}1^ZCGmJlj_2gg*BEnerh`S2Ey>vF}x z5-)CDM-m+52f#N30*X>#?VK9=KfyV#SAQ(oM@J-!$V6iE6WK#K0twS>%T%;5v%T61;u@=CGJ`*HB$&WKp+~ zH*nzmg!{{;jVMTib%+Db$2JQ|Q34O`EQf;{#D;MtoP{Q`;BZdQ1l3=_av8B(ffVzlQLtQLeHviSYHlIHq^$GEx1ZD2m z@8bjbPumY3Y*p}|wjVzHT>s@a`Bd?jfNJ^$(bDTLLa1-X#|NL=Z{Ue&9eNXgJS6?n zV|6XA8B`l)-HsU3Rf@8m4HEqRw)IPVE@6e2M6D%vS5joV7da;rZMX5mWp=e-%cTV6 z_ay>Ukmz^YT%e{vd!1kO#V8z{5MMSXNY#S-Xz{yuPs_^Nr)W2lPYH(MD)KVEkAHuwaU9xPQP@ z=+oX@p+p`(33fV<%j?Wl*aa)G4P0)-@bX4edtbB}^+Y=0ePA}gAgL0aj2gH5JeV#c z!!~0smtv|qubi|ii7@_Khr!)PZ2{^ak{E}~a6fe#wZdcNk0eXCZjk{e>1<@pDUv9p zqNoN{Oa;P={JjWl+z;?xNIm>3n?tx%fvg#Rq7hE68aNv+6(X`O70K8a0dcmAGRk5T zQjtW83UoLZKhVPWBIP8mh7PbRi*Q#3Pj-|iLkCl#vs)DEHq`*?eLdq0`Z#N{?IN3y ziqgdHkSX?RaSyHLd!8b42Se+d>;nt{l39%}*LR_#~CP>oqVMI%lCH^?!BUYJs*#} z4FIaK761)PgVn<|UQGz^e3DOX+tqAvU zK&A29^w#0>Os{9y+`8^Iej;t!|I%`0g&L^%r0`7+m){#Z`PBgQ^n#;O728cnwkuVOr5Ex@SB#3|rLrFG^u~+U>&MCfwhU49NQ-J8p2A%<7|46r&&6Ly=^i#_X1}-$MFF( zJ-l}C!x@c}t5v-#gc;^wAY5T9e~X$WN^0o$sxY=WxXM}=*<=$*;rN~Y?M1guf5$ep zR!gK;T$dMAjzLov3L`#ZERi;3vh80&2~IiTEY%_;uF{upY#`D|iq&HlD%^W)4CoE$ z{u_jy(CKX&G?%7Z2YG5^r$c`+01yAdSCwjONdsDXDA6o3iYS13RTC6UQ1#Z8}RJ=V~r2+|7RVH7)exIRee62GK%?i}DsihgEJGvHOay zA6L2X!ke)h&;qnP$6{J;B;Y0zo;*XbqWq%KF5h*3T46}dg>+QsrXvc#EsDyr)x@4$ zvqyy}@-$!*Dz$bsL+MCSgOrOQwZ!7B;{7S@k<{3dU3%p_SPG7A8M=6g4^2CSZL0~b zudO=*#G$OtPcVIERa#_;(*S2+fK3Ml;XYavNifS{e=Yd#?KjLoC6xnYK}Ev;E)a?; zFv90K%Q=QKSsD?icj!Pyw~m9D_Em1k&ymlw^{lLCjbn1CEcY(QQc&G^4Vl_LVdcQ|h44mKrkJrIaMU zbZI$w9=F|U*5KoAd!5CmX)+hA1RPXYiyP%z;I1MAos~Q0$}ECR4?S{9WJ2{4DAxDbikK43svM4GCoTpeWkR;cQi>rWHaz+%hM$)w#&~oNhIH}xJjROGQ z7Bvo1g*?qkt$JwC5=(XL%_-U*QF&BU_?zlKiI$CGs7$5kB~2%;b-vnecOHD%?zC%) zw8)XKD_a|lSd$6>0?V%-nayL!HQ*!+p?b3{7edu@pN**}NnozHz}3!9+qJ*Ue02^u zDRh>kN@>me_@D)Jx#Bi3QM%(5r{fm^74GJhP-IpsM{{@%CWI8S7#dk(6bhtI= z3fv55r-_kPEtYQ!TT^_=NFr22v>@|B3*KMzl;4xmrHM;0(G@}Hz)VV-&>4wp1?+w* z2`RJ#XFQ-(CAHPXF3)f@(9y6|dMlFpkNRN&G0e=Eb4Ke?_Z*cuh|n`Blfsi)c@iYJ zym0=AZpURU|CRIZ>v}pJP-|K)?Esf5X*%R%i<)rzTaiS$F%3p8w}rH^4Aa`+aP$@( z#0}hQWW;L@SfQ7HC`kx%<)5v&1^e-anW_XS=<# zz0=k|H%ywVxdcUKL9Cc5a-(0htip9zm~X~!SaW}2(ALgJ#oP2&cDFlmrDKVn zOf-cgzyNSnVf`vg0yo1CR8})#eu$AZ&6F0lpf%A7)`!o7p)&|Zu}sey2Mm&j29nb& zo010QjXI<}ob+BeOQ>|aBt^``!Zk_D9c%8i=ykL%P)8hfI=`+isaxr4sbA{V7y6AQ z5khJmU!+!uHXIHU3GI(JA{>;@9k4a16;1+SjY%LgxSn}7X;!#IxE^=U7R&crO%}l< zAZ?f})05y}xI(%-u~Q7J96cy*$Owj z*@bN-5~c;KZJ{AKOweLiV4>X3AeqjsW=Z8J$PO^s7elr}Wh1n!(umrs5{FS^Ax72j zgNllX2P-%8U~4O`I{+s>NSf)9-%L=lc-2{3vn(GX4DPJapI6f>r%|}W)6{4oUk9Cq zU2|lawcpI_rBP_XWVXPe59$E=pAy$pltH~|Xd^`838GK54yml=N%#DDh0RaiWu)42 zX8b!+Z?w+47Wz$-+29%qV`__YA=O|j?t0NbtTfDm zlik#nv&1O80Z8QX(oTr&@@*jNiSune*BWa&-O@ta*(g}FhRwheI&};Mqz=QLjB+(z zEXd{!?2 z!@w|t7iPHz-HPiW;3g5dMuj&^$iFj~drQuMQyl05$YGNJ>m-fc5 zz_8dsQvK5T{fk}Dp5Fxd@M*>s|J$97o%kI zwmc5kg6}A<4;R-B=?(z}bB^Ft({j!gY)hVfm$)vJ1xSg>U@pvRV{@aqOq-nRHRx0b z#SDoY!av`sjdywNhB-qzNhE`?GEUfFzT_s{j*ra{(_Bv;<{XjAqX)F!#&urIu`fUF zgM9vsDhgV^Rz7Ep_Fs;>UoJ!nJLix#GZ!6-`Qg(3BP)TgT40C6y=RCcIP(7Q!YTY%5{*-RglFLoX54>w5TnK zz}~}}mF<}_87!Z~Kga^YN)^UK(1X_idSJt6|HOU~zRk;%fPD`K^( zu^#nA3kWxS*awykVLx{2aMxLl!|`;E$lN(N^axUyj87)MM{%NYm|KO;3MdA&cv@j@ zSFH+0fV};x8P_o^QMc81Zl0dxCOb0BWtu1Hkna zJ%TRTNC6<3LvrE0423+e%-9Zwl14{HRTMArW02MM>iEn zxvEH4hV!b6YAgbJ5p$O{jqGY@2m=hi&Uai{Fz3?D)Cm*p2;an;6sTB?=wRU*zF^yG zw~obUOw0{Y7z`ty8BS=?O>s5HqZ*bVJY)`G-on+a6gFqGgvUbVV|V{6BJfBKD5&@h z7rY*Tt!i=}$p^`lsHlNk2E>FTEnLD!I6nkyS(u>hLQ!tKRpvYhIlz{8Tn=&-1o?)9y6O|K5)7 zO_I4Dna94IQk#86!(!gfrZ6PC@99?Bi?ha5^AD*0H6TO!9+Z@RMDu+yFqJ} z^1n6mSO3i>ei;bZGoB`;$HXTBFQX}ai6IZ&+-lK?i=F* zUNkAWwGao8PC)+vcdvkE9JlSXA-S6_>MkqnY4eMkLmzxOGUDi^L52ibOiD3xg$sW% z9%eXr5?fOPCJBjwnV_HZ-MGl#x8wRzHc0>ALdg|%Ke<)PIdGWL7DED29jvZoGxVWS ze>BPpC8%{By)0;E`{9>A9-naXK9R#?doBJVZV`uXwUjJA;y=Gp3Uj*@aYe!xP_(Xq zST>UqgQXaKw0DX2l$buU@P}_q@Ch>o#5->xHxlu{O^nfm65aBU7Dc*>2&;>AzDP!) z(hDBjTA(qd%a5|5wPf=PV?p$(x(H3YHE}D$`%0o8fs$rZZG*QWaMFpRU)Uqu*`tq$%KY~v=TV7Ab<>=@?ium)hA%5M zzw>2%ruwpw{_xG^m*pA%W-G_kmB>7r{`bIdgo;K^Gl@$|1@CP+ES%e$pgm=Wv@ac+ z(zdkeO8~r6^LwB~qI3Ev|V z7r${w%t_Shlh7df`_G^6zj%Skw)k({)GeA)l4$@3@>!BD>jJLKnk+-Ha(F-kMCmns zxVZtEGqzCr6sf8S7E=XrK2XUK7RXT}N*wey6lhTC{v%NQ()dE%NYn>^XjBj=uWaZ| z#ip1;SZYWvd!@J;78pwHtn^T>Z12uwt=Pt1cb*{|cf*gsi6oEQG~y3A*;Y;^kYpao zpWnoxE%?Jt`L;~TDSbdKAq!b9bcHm^n)0@ zuG7(U>1Bmm5b$4)dv3kM!zM~EKP-`#5c2rxAM|Ms>|TD_fjdqvNyhHRwJ&O}Y>9W< zT?@jrIMv$GA2I3^$z{<(q47AI1SO4Jta_qCg8I5tuH{%Y5ijyt1eR%jp#UOUjHP8U zGW(D^icCkgaf!9UM40d$PcXJjj*fRAl{K@yfMrdpiKX@K!WRr zh|{s4q$>!N`FPTbpMZW!hniER2c$3-Ey*9vD9q3y$sWaVbm2?s4`KW(w+SR6#JUNx z5&jlQ#+*UtFQ!+sWGJAgDvmqEY%4FftigZ@hN~6%n=%7W5aEiyNZp&+%{)nwG?e|(V~!2?qXC5 z45Az0oWya`Ns9)8$hV2EHMUcu0RrCHjC`uDPsWp&9IJ@Yj=vXWbgBJ=nB9{Y1OE@|v?rlTPFZzgdKE|Jll6P@sWq!ZJIR`(@=er`WFsL|ap zM!!Y54!H@UhFm+?c>38PrfAgyUMvj4{OQPV+W95SN2k+K^Z%^z;Dej#^WE4UPh{`b z?DXQ~1;J#m574n0sh~ivGv86bCv#4ZPftY(F74YpNw$jPXDoCmG__N(Lm|hxW|I-T zz91HoR~lFvfUX_Xj1>yW5#-yYGFalcjX-DEEpLN)|kmW zs!#HXs&=FxL5Jg1BJ9Hv5f0u4ULK~1FzL`y2-gXNQNRJorYU6}L~c=vN^TWusif&! z_(0@~%u+XKl4p}_I!(27`}j7}e)prYl`Puci#yvSLVUsh2X!=Ot(U~OmS91V-YQz0 z8-JU-i*_ISS08@tt1{wfZ(H8&d`h=tn!+``ykz3*vWKdsrN(OEjR)7TQbCy-gkWg< z3;yzkGi2Vx_0CpASA9W@?b}BAB)Ua6Ix${4YcK`6$0A-EU`4=fCW#djfR*j6S!j2S zH@yTCsU1q_n4F*njExLC z68&xW7sK^X@lbd!CoDpRV?^_GXwszMd~@i40T)!F<|6u|-Kj*)g*n}V5m3q87D<~C zL{OY19VfH5AQ$p|_lZLo0QVDXHnFHpn!ulbiK0LDhx^)m^Ig0{Q~`$K&8@FCx9I@x z?C(C<-`gX4@|S!TkrVUFTXmh(lY)}dwB6H_i;D=&(_Y)*2CY?4?7PZ zJlNjd1OCs>&V$Zp{GZ?AQ%Y_HwbufNK1iH})Voj<80vooYC>741R)5zV)o4MG<|^7 z@WL3pl&&zjQh_N@MwXa4uv0WB&t%MM;yUqPWEK_TNNULy-fZjjM8-#Z_bX1#Zf^+{ zaIv#VSR=e0ztS*WmkT0`vfF+y0{4yP=y051HjgZZ&DA^LiE@wcp%M0Fd53|KyIQV- z#ZW|D&`_afOJyicluqW6FCjjJ?wc6OUar%t^Q7a}G=3E5F!Ys_8P*MnH1w_%Y$XA5 z5^oqdI%vO0%EW?NbQe3UBln&|wDk>Gl`j`=D6zY;I=+Y;1pHF%*5eCR-kRm1g;X78 z+QroHV;yWo`d+F=$XWp-C7Fo+qcJ`!g6CXty)$T;yk&`6mMNwlIF!!NU;rP~hxs?1 zjYq(BoFymGEW*-Cyvq_Ev-lasBBBv_-gsruDn3GRWl&&rcTiyb%FrmoB!Z@oDRfKA zaVY(xv)<`BPvNY0*gH69i#4t2l?QX)kd)1h*o80$8Vv~wo&@NW!WcrG5(I{lY0Tnq zB^bh%kB_@mse!qNmq7#jH0e|E-l6Qn;i)nljRkbpnCyO^pcQ`Qq(%;erNq z#a%LVhFs1_E$3Vyndk)skvql^bXhvfE|-Ipol0n7TZBkwjBSG4NENU{Ans$!;1(gR zpKGI{^mzurgkxXmTVQ32$gsIs&=I-pI+Xw~scy?a2x>+EHnL?g814e=0@-C`CEPea zF=0qbj_pJ2c%J_wvQZ!wkq{!15esJ|9qnw=|8MWoU-!2j>~B4+NJsx_Hv0eB&kFhP zYI^nS_VEGvue1AL5BQG{w)VDmA^4H}x3{zVS^oPiK15(xmJ3)1-MVH;`cng@&pZn3 zmQj#CBruU4863{F>4J{W*Z}|@sO}9u%!it;aAt5(^4vg zQ1i&j!Sm>)@Ul*sf#QQ1vol2`o&Xd_a+*9G2y=JMRRJe)!O0pJ-qeUx%Z&mnXDJ93 z>Sxg~MS*H7q&`bWiI!CjAt+D^o)vw7ek=t12(VR3|G(p@RFSLDZwgHF(dysZWoAPZ zugq<>H#?optxnw8-QU{U@B9zuHY?~q-Elf?N{)BcegvA_5a`GQ_}x^ zDLJM7hshH<3I_Bi>aGZe>`P+At#*9IG$c~9qeXFn#=Xl&L@83S01QF6=7~X3YAJb5 z=yYKQ9*|xX!tza(v-#0Rvw!vK{@?#uasS0y@+H)x!kTh>&g-@S_HpX~>qKc7FJKc7FJKc7FJKc7FJKc7FJKc7FJKc7FJ hKc7FJKc7FJKc7FJKc7FJKmULF{J-*FaRC630RWazK~w+$ diff --git a/files/extras/dshield/install b/files/extras/dshield/install deleted file mode 100755 index 6b2006c..0000000 --- a/files/extras/dshield/install +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -if [ -d "/usr/local/dshield" ]; then - echo "dshield client already installed, aborting." - exit 1 -fi - -if [ -f "dshield-3.2.tar.gz" ]; then - tar xfz dshield-3.2.tar.gz - mv dshield /usr/local - ln -s /usr/local/dshield/dshield /usr/local/sbin - ln -s /usr/local/dshield/dshieldpy.conf /etc/dshieldpy.conf - cp cron.ds /etc/cron.daily/ds - chmod 755 /etc/cron.daily/ds -fi - -echo "Installation completed." -echo "Binary: /usr/local/sbin/dshield" -echo "Config: /usr/local/dshield/dshieldpy.conf" -echo "Cronjob: /etc/cron.daily/ds" -echo "" -echo "Warning: Running the binary from command line will send reports to dshield.org;" -echo "repeated execution may result in your IP being banned from the service." diff --git a/files/extras/get_ports b/files/extras/get_ports index 66d92d2..d25183f 100755 --- a/files/extras/get_ports +++ b/files/extras/get_ports @@ -1,24 +1,11 @@ #!/bin/bash # -# APF 9.7 [apf@r-fx.org] -### -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -### +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # tcp_ports="" udp_ports="" diff --git a/files/extras/importconf b/files/extras/importconf index 36d1253..eee4813 100755 --- a/files/extras/importconf +++ b/files/extras/importconf @@ -1,24 +1,11 @@ #!/bin/bash # -# APF 9.7 [apf@r-fx.org] -### -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -### +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # INSTALL_PATH="/etc/apf" DEF=".ca.def" diff --git a/files/firewall b/files/firewall index f7b153d..19578ca 100755 --- a/files/firewall +++ b/files/firewall @@ -1,24 +1,11 @@ #!/bin/bash # -# APF 9.7 [apf@r-fx.org] -### -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -### +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # CNF="/etc/apf/conf.apf" diff --git a/files/internals/functions.apf b/files/internals/functions.apf index 063ad9a..4d78ede 100644 --- a/files/internals/functions.apf +++ b/files/internals/functions.apf @@ -1,24 +1,11 @@ #!/bin/bash # -# APF 9.7 [apf@r-fx.org] -### -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -### +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # eout() { @@ -1086,12 +1073,12 @@ refresh() { $IPT -F TGDENY $IPT -F TALLOW $IPT -F TGALLOW - glob_allow_download - glob_allow_hosts - allow_hosts - deny_hosts - glob_deny_download - glob_deny_hosts + glob_allow_download + allow_hosts $GALLOW_HOSTS TGALLOW + allow_hosts $ALLOW_HOSTS TALLOW + glob_deny_download + deny_hosts $GDENY_HOSTS TGDENY + deny_hosts $ALLOW_HOSTS TDENY $IPT -F REFRESH_TEMP rm -f $tmpra $tmprd } diff --git a/files/internals/internals.conf b/files/internals/internals.conf index 3e6345c..4030453 100644 --- a/files/internals/internals.conf +++ b/files/internals/internals.conf @@ -3,7 +3,7 @@ ## # PATH=/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin:$PATH ; export PATH -VER="9.7" +VER="1.7.5" APPN="apf" ifconfig=`which ifconfig` diff --git a/files/vnet/main.vnet b/files/vnet/main.vnet index be116b2..8245828 100644 --- a/files/vnet/main.vnet +++ b/files/vnet/main.vnet @@ -1,23 +1,10 @@ # -# APF 9.7 [apf@r-fx.org] -### -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -### +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # INSTALL_PATH="/etc/apf" if [ "$SET_VNET" == "1" ]; then diff --git a/files/vnet/vnetgen b/files/vnet/vnetgen index 4399237..5b2e080 100755 --- a/files/vnet/vnetgen +++ b/files/vnet/vnetgen @@ -1,23 +1,11 @@ +#!/bin/bash # -# APF 9.7 [apf@r-fx.org] -### -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -### +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # CNF="/etc/apf/conf.apf" if [ -f $CNF ]; then diff --git a/importconf b/importconf index 36d1253..eee4813 100755 --- a/importconf +++ b/importconf @@ -1,24 +1,11 @@ #!/bin/bash # -# APF 9.7 [apf@r-fx.org] -### -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -### +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # INSTALL_PATH="/etc/apf" DEF=".ca.def" diff --git a/install.sh b/install.sh index cbbdaf4..f51209a 100755 --- a/install.sh +++ b/install.sh @@ -1,24 +1,11 @@ #!/bin/bash # -# APF 9.7 [apf@r-fx.org] -### -# Copyright (C) 2002-2011, R-fx Networks -# Copyright (C) 2011, Ryan MacDonald -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -### +## +# Advanced Policy Firewall (APF) v1.7.5 +# (C) 2002-2014, R-fx Networks +# (C) 2014, Ryan MacDonald +# This program may be freely redistributed under the terms of the GNU GPL v2 +## # INSTALL_PATH="/etc/apf" BINPATH="/usr/local/sbin/apf" @@ -35,6 +22,7 @@ install() { chmod 750 $INSTALL_PATH/extras/dshield/install chmod 750 $INSTALL_PATH cp -pf .ca.def importconf $INSTALL_PATH/extras/ + mkdir $INSTALL_PATH/doc cp README CHANGELOG COPYING.GPL $INSTALL_PATH/doc ln -fs $INSTALL_PATH/apf $BINPATH ln -fs $INSTALL_PATH/apf $COMPAT_BINPATH