Skip to content

History

Revisions

  • fix: correct GeoIP database path in wiki — /var/cache/nftban/geoban/ → /var/lib/nftban/geoip/ BLOCKER from GeoIP lifecycle audit (FIND-GEO-1): Wiki claimed DB path was /var/cache/nftban/geoban/dbip-country-lite.mmdb Actual path (code + validator + live hosts): /var/lib/nftban/geoip/dbip-country-lite.mmdb Fixed in: - Blacklist-and-Threat-Intelligence.md (2 occurrences) - Configuration-Reference.md (1 occurrence) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 15, 2026
    b005ecc
  • wiki: add System Contract + Metrics Evidence Classes to Architecture System Contract (Canonical Invariants): - 5 numbered invariants that must hold when system is healthy - Kernel schema, anchor pipeline, validator agreement, CLI truth, config intent - Violation = DEGRADED or DOWN Metrics & Evidence Classes: - 3 classes: Structural (validator), Enforcement (counters), Operational (timers) - Unified explanation of what each proves - Links to Metrics page and Glossary Closes the two remaining cohesion gaps from alignment audit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 15, 2026
    657429c
  • wiki: system cohesion — connect install→schema→systemd→operations lifecycle Systemd page: - Added 'Role in System Architecture' section - Systemd = execution layer, NOT authority - Failure propagation: timer stops → feeds stale → enforcement degrades - Operators must rely on validator, not service status Schema page: - Added 'Lifecycle Connection' section - Connects install→validator→timers→operations chain - Links findings to Security Operations Guide - Cross-links to Installation and Operations Installation Guide: - Added 'What the Installer Creates' section - Links to Schema page for full structural contract - Connects Phase 5 (VALIDATE) to schema expectations All pages now express one coherent system, not 4 separate docs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 15, 2026
    a6b7ad4
  • wiki: contract-vs-implementation separation (schema + install + architecture) Schema page: - Schema is now a logical contract, not tied to shell implementation - Implementation detail (nft_schema.sh) clearly separated from contract - Future Go migration stated without breaking contract invariants - 'Schema authority resides in nft_schema.sh' → contract-first wording Installation Guide: - Installer framed as 'enforces system contract on kernel' - Design Principle section: config→installer→validator→CLI invariant model - Implementation-agnostic: contract survives shell→Go migration Architecture: - Schema described as logical contract, not shell artifact - Migration direction stated as implementation detail, not contract change Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 15, 2026
    eae5d6f
  • wiki: rewrite Metrics + Systemd Units + Security Operations (v1.85 aligned) Metrics & Evidence Model: - Full counter catalog (31 IPv4, 32 IPv6) with evidence classes - 6 interpretation rules from v1.81 vocabulary - Per-module evidence mapping table - Exporter architecture (Prometheus textfile + JSON) - Shared counter attribution rules Systemd Units & Timers: - All 28 services + 19 timers documented - Correct schedule: maintenance=15min (was wrong), watchdog=120s - Correct user: maintenance=root (was wrong) - Timer liveness validator check (VAL-TIMER-001/002) - Dependency chain documented - Corrects 3 wrong facts from Track B audit (B-13, B-14) Security Operations Guide: - 8 real operator scenarios with kernel-first diagnosis - Decision tree for DEGRADED state - Evidence-based procedures (no fabricated examples) - Shared counter attribution warnings - Emergency SSH lockout recovery - Corrects fabricated logrotate example from Track B (B-16) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 15, 2026
    5d15624
  • wiki: rewrite Installation Guide + NFT Schema & Validator Model (v1.85 aligned) Installation Guide: - 5-phase Go installer pipeline (correct phase count) - Authority model (FRESH/UPDATE/TAKEOVER/ABORT) - SSH port safety (4-source detection) - Conflict detection with panel auto-approval - Post-install verification commands - CSF restoration warning - Source install limitations documented NFT Schema & Validator Model: - Schema design (separate ip/ip6 tables) - Schema generator → codegen → validator flow - All required kernel objects (chains, sets, counters, anchors) - Full finding code registry (14 codes) - Counter naming convention + inventory (31 IPv4, 32 IPv6) - Atomic rebuild safety - Validator scope and limitations Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 15, 2026
    46bce43
  • stats: add full version history with verified LOC from git tags

    @itcmsgr itcmsgr committed Apr 14, 2026
    9cbd505
  • wiki: v1.83 canonical rewrite — system contract + modules + structure Complete wiki alignment to v1.83 canonical design baseline. Added (8 new pages): - Glossary-and-Vocabulary (v1.81 vocabulary contract) - Health-Model (4-axis + consistency derivation) - DDoS-Protection (kernel-only, counter evidence) - Portscan-Detection (structure-only, no counter) - BotGuard (daemon-dependent, set evidence) - Login-Monitoring (journal + shared sets) - Blacklist-and-Threat-Intelligence (composite: manual/feeds/geoban) - Known-Limitations-and-Validation-Scope (validator scope per module) Replaced (6 pages): - Home → system contract (truth authority + evidence model + invariants) - Architecture-Overview → kernel-first with invariants - CLI-Commands-Reference → trust levels + v1.83 behavior - Configuration-Reference → per-key with axis effects - Project-Statistics → v1.83 metrics with history - _Sidebar → canonical navigation structure Fixed (2 pages): - Suricata-IDS-Integration: "rules loaded" → "rules present" - Optimization-Tools-and-Tweaks: "ok" → "protected" Archived (11 pages → archive/): - CLI-Command-Tree, Timer-Schedule, Large-Set-Management (merged) - API-Handlers-Map, Registry-Architecture, Queue-and-Mail-Contract (internal) - Security-CI-Pipeline, Coding-Standards, Performance-Benchmarks (internal) - Health-Check-Architecture, HTTP-Bot-Guard (replaced by new pages) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 14, 2026
    80da5ce
  • docs: update Home.md version to 1.68.1 + add Legal section to index - Version: 1.56.0 → 1.68.1 - Documentation Index: added Legal section with License & Commercial Use and Trademark & Branding pages Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 3, 2026
    22e1094
  • docs: add License & Commercial Use and Trademark & Branding pages New wiki pages: - License-and-Commercial-Use.md — MPL-2.0 explanation, commercial use rules, fork policy, architecture boundary diagram - Trademark-and-Branding.md — allowed/prohibited use tables, fork naming requirements, SaaS restriction, enforcement clause Sidebar: added Legal section with both pages + Firewall Anchor Architecture Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 3, 2026
    2076851
  • docs: add Firewall Anchor Architecture wiki page Documents the 7-phase anchor skeleton as a contract: - Phase model (HYGIENE → TRUSTED → BAN → ESTABLISHED → DETECT → SERVICE → FINAL) - Anchor markers and module insertion points - Ordering, structural, and safety invariants - Verification commands Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Apr 2, 2026
    06463e6
  • wiki: update for v1.56.0 — CI workflow count, Go 1.25, smoke test - Home.md: version 1.53.0 → 1.56.0 - Security-CI-Pipeline.md: 18 → 20 workflows, add smoke test to trigger table - Project-Statistics.md: 19 → 20 CI workflows, Go 1.24 → 1.25, fix architecture diagram

    @itcmsgr itcmsgr committed Mar 29, 2026
    06045fc
  • wiki: bump version to 1.53.0

    @itcmsgr itcmsgr committed Mar 28, 2026
    16b0a4e
  • wiki: align with v1.52.1 release

    @itcmsgr itcmsgr committed Mar 28, 2026
    0828ab3
  • docs: update wiki for v1.52.0 — config doctor, lockout prevention, login monitor, port 9580

    @itcmsgr itcmsgr committed Mar 28, 2026
    c9eccbc
  • docs(wiki): restore Statistics Per Version table to Project-Statistics Re-add the historical version tracking table with entries from v1.0.0 through v1.39.0 showing codebase growth over time. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 24, 2026
    1d3dc2e
  • docs: align wiki with v1.39.0 release - Update version references across 8 pages (v1.18-v1.34 → v1.39.0) - Add dual-set architecture (blacklist_manual_* hash sets from v1.33.0) - Update nft schema with blacklist_manual_ipv4/ipv6 sets and input chain rules - Fix CLI path /usr/sbin/nftban → /usr/bin/nftban - Update Go package paths pkg/ → internal/ (v1.36.0 boundary hardening) - Update project statistics: 269K LOC, 311 Go files, 261 shell scripts, 71 packages - Remove stale audit status table and version history from Home.md - Mark v1.33.0 set separation as delivered in Performance-Benchmarks - Add Bot Guard and Commit-Confirm to key features list - Clean up version-specific annotations (v1.21.4+, v1.31.0, etc.) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 24, 2026
    179b1e1
  • docs: add ddos reload command, SYNPROXY SSH lockout fix (v1.34.0) - Added 'nftban ddos reload' subcommand documentation with full subcommand table (enable, disable, reload, status, stats, test, mode) - Documented SYNPROXY SSH lockout prevention mechanism - Updated 'nftban firewall reload' to note DDoS re-application (v1.34.0) - Added DDoS configuration file references - Updated CLI Command Tree version to v1.34.0 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 22, 2026
    9586a42
  • docs: add Debian 12 benchmarks, honest verdict, Known Limitations detail, rc=7 explanation

    @itcmsgr itcmsgr committed Mar 21, 2026
    e80f25d
  • docs: update Performance Benchmarks with real measured stress test data Replace estimated values with actual measured data from 21 March 2026 stress tests across 5 lab servers. Update lab1 kernel version, add Debian 13 dual-kernel note, fix lab ban avg to show range (73-113s) instead of single average. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 21, 2026
    8d1c907
  • Add CPU details to benchmark environments Intel Xeon Skylake on lab (200 MHz slower) vs AMD EPYC-Rome on lab1-4. Note about fair cross-distro comparison requiring same hardware. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 21, 2026
    bd92e71
  • Update Performance Benchmarks for v1.32.0 cache-first architecture - Add v1.32.0 cache-first counting results (300x speedup) - Add interactive ban latency at different set sizes - Add concurrent stress test results across 5 lab servers - Add scalability guidance (500K bulk target, not interactive) - Add maintenance script impact measurements - Preserve v1.18.0 transport benchmarks as separate section - Update test environment table for March 2026 labs - Add architecture validation for IntervalEnd fix - Add interpreting results section (3 independent domains) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 21, 2026
    5868c54
  • docs: add Large Set Management wiki page (v1.32.0 architecture) Documents the new adaptive counting architecture: daemon-owned counters, cache file, scale levels, global nft operation lock, and reconciliation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 21, 2026
    1ac3726
  • docs: update NFT Schema Validation for v1.31.0 (auto-merge, counters, Bot Guard sets)

    @itcmsgr itcmsgr committed Mar 21, 2026
    94cf5ac
  • docs: add DNS Tunnel Suspicion wiki page, update CLI reference, sidebar, and Home

    @itcmsgr itcmsgr committed Mar 21, 2026
    47aefeb
  • docs: add Optimization Tools and Tweaks wiki page New wiki page documenting optional CIDR aggregation tools (aggregate6, netmask, bash fallback), setup procedures, distro compatibility, health reporting, and troubleshooting. Added to sidebar under Operations and to Home page index. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 21, 2026
    dc87e6e
  • Add QUIC.cloud (LiteSpeed CDN) to trust providers Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 17, 2026
    ee3c111
  • docs: Add HTTP Bot Guard wiki page, update statistics for v1.20.0 - New: HTTP-Bot-Guard.md — CLI, config, architecture, FHS, nft sets - Updated: _Sidebar.md — added HTTP Bot Guard link under Integration - Updated: Project-Statistics.md — updated LOC, modules (8), packages (65), protection modules table, architecture diagram, statistics history Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 14, 2026
    ccebcbf
  • docs: Add Ban-First Architecture section to Security-Architecture.md Documents the actual ban path architecture: - Ban execution is immediate (no feed lookup) - Feeds are precomputed via timer-based sync - GeoIP is post-ban informational only Evidence from code audit of handleBanRequest(), backend.Ban(), and feed sync. Related: closes #48 as already implemented Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 12, 2026
    4a1c9f2
  • docs: Add IPC Security Architecture section (v1.19.27) Document defense-in-depth input validation for nft commands: - Validation layers diagram (CLI → IPC → Go daemon) - Character whitelists for IPv4/IPv6/CIDR - Files with nft command security table - Testing validation examples - False positive prevention notes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Mar 12, 2026
    4c40d56