I am a little behind the times and am just getting around to updating APF. 0.9.5 runs just fine but when I ugraded to 9.6-1 I was locked out. I took a look at conf.apf and all of my original ingress and egress ports were there. I compared the new conf.apf to my old one and there wasn't any glaring differences
Does anyone have a conf.apf file they would be willing to share? Or am I even on the right track thinking that the problem lies in the conf file?
Thank You
Full Version: APF Upgrade problem from 9.5 to 9.6-1
Are you running any Control Panel?
I'd post mine, but its for Plesk based servers.
I'd post mine, but its for Plesk based servers.
I have three APF configs here for my ELS program. It has the default one, one made specifically for cPanel, and one specifically for Plesk.
Thanks for the config file Blue|Fusion I'll give it a go tonight when the majority of my users are sleeping just in case I lock myself out at 5 minute intervals. 
Blue|Fusion,
I used your conf.apf file but I still get locked out and all traffic stops. I put my ip in the the allow hosts and everything works. Too bad the rest of the world can't see it. Maybe my server is screwy. Here is a copy of the conf.apf that does work with my server running Cpanel.
Thank you,
Zandaline
I used your conf.apf file but I still get locked out and all traffic stops. I put my ip in the the allow hosts and everything works. Too bad the rest of the world can't see it.
Maybe my server is screwy. Here is a copy of the conf.apf that does work with my server running Cpanel.
Thank you,
Zandaline
CODE
#!/bin/sh
#
# APF 0.9.5 [apf@r-fx.org]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Dev. Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to flush the firewall; set
# this mode off (0) when firewall determined to be operating as desired.
##
# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM="0"
##
# [Main]
##
# Path of firewall installation
FWPATH="/etc/apf"
# Untrusted Network interface; all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interface. Only one interface is accepted for this value.
IF="eth1"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules (white space or comma seperated list; e.g: TIF="eth1 eth2").
TIF=""
# Local gateway mac address [optional]; when a value is present, only traffic
# from the local gateway will be permitted. It is quite trivial to forge a MAC
# address and as such this is provided as another layer of route verification.
LGATE_MAC=""
# Enable virtual network subsystem; creats independent policy ruleset for each
# ip on a system (pulls data from 'ip addr list') to /etc/apf/vnet/ip.rules
# Template is located in the vnet/ folder for rule files. This feature can
# reduce apf start/stop performance and is not recommend for systems with more
# than 255 (/24) ip's. [0 = Disabled / 1 = Enabled]
EN_VNET="0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="0"
##
# [Packet Filtering/Handling]
##
# Default Type of Service (TOS)
#
# 8: Maximum Throughput - Minimum Delay
# 4: Minimize Delay - Maximize Reliability
# 16: No Delay - Moderate Throughput - High Reliability
DEF_TOS="4"
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp)
#
# DROP (drop the packet)
# REJECT (reject the packet)
DSTOP="DROP"
# Set a reasonable packet/time ratio for ICMP packets; exceeding
# such packet flow ratio will result in dropped packets.
# pkt/s (packets/seconds), pkt/m (packets/minutes)
ICMP_LIM="14/s"
# Use a dynamic discovery routine to parse and create rules based
# on the local name servers defined in /etc/resolv.conf.
# [0 = Disabled / 1 = Enabled]
RESV_DNS="1"
# With RESV_DNS enabled; all untrusted name server traffic can fill
# the logs with sport 53 traffic. This can be suppressed with an
# implicit drop of all such traffic (sport 53 ingress) as so to avoid
# the log chain.
RESV_DNS_DROP="1"
# You need multicasting if you intend to participate in the MBONE, a
# high bandwidth network on top of the Internet which carries audio
# and video broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/,
# this is generally safe to enable. [0 = Disabled / 1 = Enabled]
BLK_MCATNET="0"
# Block all private ipv4 addresses; this is address space reserved
# for private networks; or otherwise unroutable on the internet.
# If this host resides behind a firewall with NAT or routing scheme
# that otherwise uses private addressing; leave this option off.
# Refer to the 'internals/private.networks' file for listing of
# address space. [0 = Disabled / 1 = Enabled]
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use or
# unassigned; such networks have no business communicating with us.
# However they may at some point become live address space. Refer to
# the 'internals/reserved.networks' file for listing of address space.
# [0 = Disabled / 1 = Enabled]
BLK_RESNET="0"
# This is the maximum number of "sessions" (connection tracking entries)
# that can be handled simultaneously by the firewall in kernel memory.
# Increasing this value too high will simply waste memory; setting it
# too low may result in some or all connections being refused, in paticular
# during denial of service attacks.
SYSCTL_CONNTRACK="34576"
# These are sysctl hook changes to further harden the kernel from
# network attack trends by lowering standard time-out values and other
# time based packet responces. [0 = Disabled / 1 = Enabled]
SYSCTL_TCP="1"
# These are sysctl hook changes intended to help mitigate syn-flood
# attacks by lowering syn retry, syn backlog & syn time-out values.
# [0 = Disabled / 1 = Enabled]
SYSCTL_SYN="1"
# These are sysctl hook changes to provide protection from spoofed
# packets, and arp/route redirection. [0 = Disabled / 1 = Enabled]
SYSCTL_ROUTE="0"
# This sysctl hook will log all internal traffic that is otherwise
# not to/from a local interface and not multicast.
# [0 = Disabled / 1 = Enabled]
SYSCTL_LOGMARTIANS="0"
# This sysctl hook will allow you to enable or disable ECN support
# (Explicit Congestion Notification); this feature provides an
# improved method for congestion avoidance by allowing the network
# to mark packets for transmission later, rather than dropping them
# from the queue. [0 = Disabled / 1 = Enabled]
SYSCTL_ECN="0"
# This sysctl hook will allow you to enable or disable SynCookies
# support; this feature will send out a 'syn-cookie' when the syn
# backlog for a socket becomes overflowed. The cookie is used to
# interrupt the flow of syn transmissions with a hashed sequence
# number that must be corrilated with the sending host. The hash
# is made up of the sending host address, packet flags etc...;
# if the sending host does not validate against the hash then the
# tcp hand-shake is terminated. [0 = Disabled / 1 = Enabled]
# Note: syncookies seriously violates TCP protocol and can result
# in serious degradation of some services (i.e. SMTP);
# visible not by you, but your clients and relays whom are
# contacting your system.
SYSCTL_SYNCOOKIES="1"
# This sysctl hook will allow you to toggle Abort_On_Overflow support;
# This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative
# for SynCookies and both should NEVER be enabled at once.
# [0 = Disabled / 1 = Enabled]
# Note: This option can harm clients contacting your system. Enable
# option only if you are sure that the listening daemon can not
# be tunned to accept connections faster.
SYSCTL_OVERFLOW="0"
# Common drop ports; these are implicit ports you do not want logged
# with the default drop chains. Format is comma seperated and underscore
# seperator for ranges (135_139). Ports are droped and ignored for both
# TCP & UDP as well as inbound and outbound.
CDPORTS="135_139,111,513,445,1433,1434,1234,1524,3127"
##
# [Ingress]
# Configure ingress (inbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
##
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2084,2086,2087,2095,2
096,3000_3500,9999"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
##
# [Egress]
# Configure egress (outbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Egress filtering is not required but makes your firewall setup complete
# by providing full inbound and outbound packet filtering. You can toggle
# egress filtering on or off with the EGF variable. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
##
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,123,465,873"
# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
##
# [Egress UID match]
# Configure user-id specific egress (outbound) port access. This is a
# more granular feature to limit the scope of egress packet flows with uid
# conditioning. Format is comma seperated and underscore seperator for ranges.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
##
# UID-Match egress (outbound) TCP ports
EG_TCP_UID=""
# UID-Match egress (outbound) UDP ports
EG_UDP_UID=""
##
# [Imports]
# Configure importable rules
##
# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="1"
DS_URL="feeds.dshield.org/block.txt" # block.txt url (no *://)
DS_URL_PROT="http" # protocol to use for wget
# Import /etc/apf/ad/ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="1"
# This is an implamentation of the trust rules (allow/deny_hosts) but
# on a global perspective. You can define below remote addresses from
# which the glob_allow/deny.rules files should be downloaded from on
# a daily basis. The files can be maintained in a static fashion by
# leaving USE_RGT=0, appopriate for host serving the files.
# [0 = Disabled / 1 = Enabled]
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules" # glob_allow.rules url (no *://)
GA_URL_PROT="http" # protocol for use with wget
GD_URL="yourhost.com/glob_deny.rules" # glob_deny.rules url (no *://)
GD_URL_PROT="http" # protocol for use with wget
##
# [Logs]
# Logging and control settings
##
# Status log path
IPTLOG="/var/log/apf_log"
# Log all forign gateway traffic
# [0 = Disabled / 1 = Enabled]
LGATE_LOG="0"
# Log TCP/UDP DROP chains (required for antidos); data logged to kernel log
# [0 = Disabled / 1 = Enabled]
DROP_LOG="1"
# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
# [0 = Disabled / 1 = Enabled]
EXLOG="0"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost!
LRATE="45"
##
# [Import misc. vars]
##
#
# Internal vars file
CNFINT="$FWPATH/internals/internals.conf"
# Import internal vars file
. $CNFINT
#
# APF 0.9.5 [apf@r-fx.org]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Dev. Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to flush the firewall; set
# this mode off (0) when firewall determined to be operating as desired.
##
# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM="0"
##
# [Main]
##
# Path of firewall installation
FWPATH="/etc/apf"
# Untrusted Network interface; all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interface. Only one interface is accepted for this value.
IF="eth1"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules (white space or comma seperated list; e.g: TIF="eth1 eth2").
TIF=""
# Local gateway mac address [optional]; when a value is present, only traffic
# from the local gateway will be permitted. It is quite trivial to forge a MAC
# address and as such this is provided as another layer of route verification.
LGATE_MAC=""
# Enable virtual network subsystem; creats independent policy ruleset for each
# ip on a system (pulls data from 'ip addr list') to /etc/apf/vnet/ip.rules
# Template is located in the vnet/ folder for rule files. This feature can
# reduce apf start/stop performance and is not recommend for systems with more
# than 255 (/24) ip's. [0 = Disabled / 1 = Enabled]
EN_VNET="0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="0"
##
# [Packet Filtering/Handling]
##
# Default Type of Service (TOS)
#
# 8: Maximum Throughput - Minimum Delay
# 4: Minimize Delay - Maximize Reliability
# 16: No Delay - Moderate Throughput - High Reliability
DEF_TOS="4"
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp)
#
# DROP (drop the packet)
# REJECT (reject the packet)
DSTOP="DROP"
# Set a reasonable packet/time ratio for ICMP packets; exceeding
# such packet flow ratio will result in dropped packets.
# pkt/s (packets/seconds), pkt/m (packets/minutes)
ICMP_LIM="14/s"
# Use a dynamic discovery routine to parse and create rules based
# on the local name servers defined in /etc/resolv.conf.
# [0 = Disabled / 1 = Enabled]
RESV_DNS="1"
# With RESV_DNS enabled; all untrusted name server traffic can fill
# the logs with sport 53 traffic. This can be suppressed with an
# implicit drop of all such traffic (sport 53 ingress) as so to avoid
# the log chain.
RESV_DNS_DROP="1"
# You need multicasting if you intend to participate in the MBONE, a
# high bandwidth network on top of the Internet which carries audio
# and video broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/,
# this is generally safe to enable. [0 = Disabled / 1 = Enabled]
BLK_MCATNET="0"
# Block all private ipv4 addresses; this is address space reserved
# for private networks; or otherwise unroutable on the internet.
# If this host resides behind a firewall with NAT or routing scheme
# that otherwise uses private addressing; leave this option off.
# Refer to the 'internals/private.networks' file for listing of
# address space. [0 = Disabled / 1 = Enabled]
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use or
# unassigned; such networks have no business communicating with us.
# However they may at some point become live address space. Refer to
# the 'internals/reserved.networks' file for listing of address space.
# [0 = Disabled / 1 = Enabled]
BLK_RESNET="0"
# This is the maximum number of "sessions" (connection tracking entries)
# that can be handled simultaneously by the firewall in kernel memory.
# Increasing this value too high will simply waste memory; setting it
# too low may result in some or all connections being refused, in paticular
# during denial of service attacks.
SYSCTL_CONNTRACK="34576"
# These are sysctl hook changes to further harden the kernel from
# network attack trends by lowering standard time-out values and other
# time based packet responces. [0 = Disabled / 1 = Enabled]
SYSCTL_TCP="1"
# These are sysctl hook changes intended to help mitigate syn-flood
# attacks by lowering syn retry, syn backlog & syn time-out values.
# [0 = Disabled / 1 = Enabled]
SYSCTL_SYN="1"
# These are sysctl hook changes to provide protection from spoofed
# packets, and arp/route redirection. [0 = Disabled / 1 = Enabled]
SYSCTL_ROUTE="0"
# This sysctl hook will log all internal traffic that is otherwise
# not to/from a local interface and not multicast.
# [0 = Disabled / 1 = Enabled]
SYSCTL_LOGMARTIANS="0"
# This sysctl hook will allow you to enable or disable ECN support
# (Explicit Congestion Notification); this feature provides an
# improved method for congestion avoidance by allowing the network
# to mark packets for transmission later, rather than dropping them
# from the queue. [0 = Disabled / 1 = Enabled]
SYSCTL_ECN="0"
# This sysctl hook will allow you to enable or disable SynCookies
# support; this feature will send out a 'syn-cookie' when the syn
# backlog for a socket becomes overflowed. The cookie is used to
# interrupt the flow of syn transmissions with a hashed sequence
# number that must be corrilated with the sending host. The hash
# is made up of the sending host address, packet flags etc...;
# if the sending host does not validate against the hash then the
# tcp hand-shake is terminated. [0 = Disabled / 1 = Enabled]
# Note: syncookies seriously violates TCP protocol and can result
# in serious degradation of some services (i.e. SMTP);
# visible not by you, but your clients and relays whom are
# contacting your system.
SYSCTL_SYNCOOKIES="1"
# This sysctl hook will allow you to toggle Abort_On_Overflow support;
# This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative
# for SynCookies and both should NEVER be enabled at once.
# [0 = Disabled / 1 = Enabled]
# Note: This option can harm clients contacting your system. Enable
# option only if you are sure that the listening daemon can not
# be tunned to accept connections faster.
SYSCTL_OVERFLOW="0"
# Common drop ports; these are implicit ports you do not want logged
# with the default drop chains. Format is comma seperated and underscore
# seperator for ranges (135_139). Ports are droped and ignored for both
# TCP & UDP as well as inbound and outbound.
CDPORTS="135_139,111,513,445,1433,1434,1234,1524,3127"
##
# [Ingress]
# Configure ingress (inbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
##
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2084,2086,2087,2095,2
096,3000_3500,9999"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
##
# [Egress]
# Configure egress (outbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Egress filtering is not required but makes your firewall setup complete
# by providing full inbound and outbound packet filtering. You can toggle
# egress filtering on or off with the EGF variable. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
##
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,123,465,873"
# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
##
# [Egress UID match]
# Configure user-id specific egress (outbound) port access. This is a
# more granular feature to limit the scope of egress packet flows with uid
# conditioning. Format is comma seperated and underscore seperator for ranges.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
##
# UID-Match egress (outbound) TCP ports
EG_TCP_UID=""
# UID-Match egress (outbound) UDP ports
EG_UDP_UID=""
##
# [Imports]
# Configure importable rules
##
# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="1"
DS_URL="feeds.dshield.org/block.txt" # block.txt url (no *://)
DS_URL_PROT="http" # protocol to use for wget
# Import /etc/apf/ad/ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="1"
# This is an implamentation of the trust rules (allow/deny_hosts) but
# on a global perspective. You can define below remote addresses from
# which the glob_allow/deny.rules files should be downloaded from on
# a daily basis. The files can be maintained in a static fashion by
# leaving USE_RGT=0, appopriate for host serving the files.
# [0 = Disabled / 1 = Enabled]
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules" # glob_allow.rules url (no *://)
GA_URL_PROT="http" # protocol for use with wget
GD_URL="yourhost.com/glob_deny.rules" # glob_deny.rules url (no *://)
GD_URL_PROT="http" # protocol for use with wget
##
# [Logs]
# Logging and control settings
##
# Status log path
IPTLOG="/var/log/apf_log"
# Log all forign gateway traffic
# [0 = Disabled / 1 = Enabled]
LGATE_LOG="0"
# Log TCP/UDP DROP chains (required for antidos); data logged to kernel log
# [0 = Disabled / 1 = Enabled]
DROP_LOG="1"
# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
# [0 = Disabled / 1 = Enabled]
EXLOG="0"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost!
LRATE="45"
##
# [Import misc. vars]
##
#
# Internal vars file
CNFINT="$FWPATH/internals/internals.conf"
# Import internal vars file
. $CNFINT
Be sure to set eth1 as the interface you want to protect and eth0 as a trusted interface in the 0.9.6 conf.apf.
A slight correction to my post. The conf file I posted is for the old version of APF. I still can't get 9.6 to work using your version, that's why I figured my server must be a little screwy. Can you see anything between my current config with the old version and the new config that you made that would explain why I can not get it to work?
Sorry for the confusion.
Sorry for the confusion.
Yes. My examples have eth0 being the firewalled ethernet device. Your server needs to have eth1 firewalled and eth0 set as a trusted interface. Change those settings in the 0.9.6 version of the conf.apf and try it again.
Bingo! That solved the problem. Now I'm putting this thread into my bookmarks to make sure I don't make the same mistake in future upgrades.
Thank you Blue|Fusion
Thank you Blue|Fusion
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.