changelog 9.15 KB
Newer Older
1
symbiosis-firewall (2010:1224) lenny; urgency=low
2
3
4
5
6

  * Whitelist hosts mentioned in /etc/hosts.allow.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 24 Dec 2010 11:52:00 +0000

7
symbiosis-firewall (2010:1109) oldstable; urgency=low
Steve Kemp's avatar
Steve Kemp committed
8
9
10
11
12

  * Always allow --flush to succeed.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 9 Nov 2010 17:18:19 +0000

13
symbiosis-firewall (2010:0915) oldstable; urgency=low
14
15
16
17
18
19

  * Don't re-run the firewall unless we've genuinely removed
    a whitelisted entry, or added a new one.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 15 Sep 2010 17:18:19 +0000

20
symbiosis-firewall (2010:0910) oldstable; urgency=low
Steve Kemp's avatar
Steve Kemp committed
21
22
23

  * Correctly process whitelisted IP addresses.
  * Expire whitelisted entries which are older than 8 days.
24
  * The blacklister will honour even auto-whitelisted IPs.
Steve Kemp's avatar
Steve Kemp committed
25
  * Updated to avoid issues with unused blacklist files.
Steve Kemp's avatar
Steve Kemp committed
26
27
  * Log firewall actions to a file, not to STDOUT/STDERR.
    - The logfiles are also used by the blacklist/whitelist components.
Steve Kemp's avatar
Steve Kemp committed
28
  * Lock the firewall to prevent multiple concurrent executions.
29
30
  * When blacklisting IPs count multiple destination port probes
    as equal.  e.g. ssh + smtp failures are summed, not treated separately.
Steve Kemp's avatar
Steve Kemp committed
31

Steve Kemp's avatar
Steve Kemp committed
32
 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 10 Sep 2010 08:08:08 +0000
Steve Kemp's avatar
Steve Kemp committed
33

34
symbiosis-firewall (2010:0628) oldstable; urgency=low
35
36
37
38
39
40

  * Updated to use /etc/symbiosis/firewall as the prefix
    directory rather than /etc/firewall

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 23 Jun 2010 10:20:30 +0000

41
symbiosis-firewall (2010:0604) oldstable; urgency=low
Steve Kemp's avatar
Steve Kemp committed
42

43
  [ Steve Kemp ]
Steve Kemp's avatar
Steve Kemp committed
44
  * Updated to provide a clean transition.
Steve Kemp's avatar
Steve Kemp committed
45
  * Updated the default location for the firewalls built-in rules
46
  * Updated so that the firewall rules use the correct direction.
Steve Kemp's avatar
Steve Kemp committed
47

48
49
50
  [ Patrick J Cherry ]
  * Switched to dpkg-source 3.0 (native) format

Patrick J Cherry's avatar
Patrick J Cherry committed
51
 -- Steve Kemp <steve@bytemark.co.uk>  Thu, 03 Jun 2010 13:51:30 +0100
Steve Kemp's avatar
Steve Kemp committed
52

53
symbiosis-firewall (2010:0427) oldstable; urgency=low
54
55
56
57
58
59

  * Renamed the main package.
    - But still "Provide:" the old name.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 27 Apr 2010 16:00:16 +0000

60
bytemark-vhost-firewall (2010:0421) oldstable; urgency=low
61
62
63
64
65

  * Install a trivial manpage for `firewall-logtail`.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 21 Apr 2010 10:00:01 +0000

66
bytemark-vhost-firewall (2009:1126-1) oldstable; urgency=low
67
68
69
70
71

  * Avoid making rules specific to devices.

 -- Steve Kemp <steve@bytemark.co.uk>  Thu, 26 Nov 2009 16:24:16 +0000

72
bytemark-vhost-firewall (2009:1021-1) oldstable; urgency=low
Steve Kemp's avatar
Steve Kemp committed
73
74
75
76
77

  * Correctly use the epoch.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 21 Oct 2009 16:51:16 +0000

78
bytemark-vhost-firewall (2009.1019-1) oldstable; urgency=low
79
80
81
82
83
84

  * Supply empty local.d/ and whitelist.d/ directories by default.
  * Log to syslog any IPs which we've temporarily blacklisted.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 19 Oct 2009 14:32:21 +0000

85
bytemark-vhost-firewall (2009:1009-1) oldstable; urgency=low
Steve Kemp's avatar
Steve Kemp committed
86
87
88
89
90
91

  * Our blacklist application now can block on a per-port basis, and
    will do so by default for OpenSSH.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 9 Oct 2009 12:44:21 +0000

92
bytemark-vhost-firewall (2009:0918-1) oldstable; urgency=low
93
94
95
96
97
98

  * We don't place a newline in .auto files generated by the blacklist
    script.  Credit to Karl Dyson for the bug.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 18 Sep 2009 16:33:01 +0000

99
bytemark-vhost-firewall (2009:0916-1) oldstable; urgency=low
Steve Kemp's avatar
Steve Kemp committed
100
101
102
103
104

  * Blacklisting files now allow per-port blocks.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 16 Sep 2009 10:15:01 +0000

105
bytemark-vhost-firewall (20090901095146) oldstable; urgency=low
Steve Kemp's avatar
Steve Kemp committed
106
107
108
109
110

  * Skip "tun" devices.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 1 Sep 2009 09:51:46 +0000

111
bytemark-vhost-firewall (20090825102446) oldstable; urgency=low
Steve Kemp's avatar
Steve Kemp committed
112
113
114
115
116

  * Duplicate IPv4 rules onto IPv6 if such support is enabled.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 25 Aug 2009 10:24:46 +0000

117
bytemark-vhost-firewall (20090812171748) oldstable; urgency=low
Steve Kemp's avatar
Steve Kemp committed
118
119
120
121
122

  * Correctly handle mis-named blacklisted files.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 12 Aug 2009 17:17:48 +0000

123
bytemark-vhost-firewall (20090812162548) oldstable; urgency=low
124
125
126
127
128
129

  * Remove active blacklist entries for IPs which are subsequently
    whitelisted.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 12 Aug 2009 16:25:48 +0000

130
bytemark-vhost-firewall (20090731104804) oldstable; urgency=low
131
132
133

  * If the firewall-blacklist program is disabled then reload the
    firewall prior to exiting - to flush out bogus entries.
Steve Kemp's avatar
Steve Kemp committed
134
135
136
  * Added the "logtail" script from the Debian logcheck package so
    that we only process new entries.
  * Changed our cronjob so that we run every 15 minutes not every 5.
137
138
139

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 31 Jul 2009 10:48:04 +0000

140
bytemark-vhost-firewall (20090707153244) oldstable; urgency=low
141
142
143
144
145

  * Per-Lenny vhost repository, rather than branches

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 7 Jul 2009 15:32:44 +0000

146
bytemark-vhost-firewall (20090522105210) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
147
148
149
150
151

  * New release for Lenny.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 22 May 2009 10:52:10 +0000

152
bytemark-vhost-firewall (20091505152733) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
153
154
155
156
157
158

  * Build-depend upon Ruby.
  * Use the correct pathname in /etc/cron.d/firewall-blocker.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 15 May 2009 15:27:33 +0000

159
bytemark-vhost-firewall (20081119130025) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
160
161
162
163
164
165

  * depend upon iproute.
  * Attempt to find network devices dynamically

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 18 Nov 2008 13:00:25 +0000

166
bytemark-vhost-firewall (20081118120409) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
167
168
169
170
171
172

  * New installs will have 00-related by default.
  * Load the ip_conntrack modules if available.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 18 Nov 2008 12:04:04 +0000

173
bytemark-vhost-firewall (20081118095920) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
174
175
176
177
178

  * The "N-allow" rule is now correct.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 18 Nov 2008 09:59:20 +0000

179
bytemark-vhost-firewall (20081117173759) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
180
181
182
183
184
185
186
187

  * Create the blacklist directory if it is missing.
  * Add manpage for the firewall-blacklist script.
  * Never blacklist 127.*
  * Allow the blacklister to be disabled distinctly from the firewall.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 17:37:59 +0000

188
bytemark-vhost-firewall (20081117171938) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
189
190
191
192
193

  * If a named logfile doesn't exist we abort.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 17:19:19 +0000

194
bytemark-vhost-firewall (20081117171455) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
195
196
197
198
199

  * New format for blacklist patterns.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 17:17:17 +0000

200
bytemark-vhost-firewall (20081117154411) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
201
202
203
204
205
206

  * If the firewall has been disabled then the blacklisting script is
    also disabled.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 15:44:44 +0000

207
bytemark-vhost-firewall (20081117132150) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
208
209
210
211
212

  * Be more strict about deleting our temporary firewall script.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 13:21:50 +0000

213
bytemark-vhost-firewall (20081117131248) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
214
215
216
217
218
219
220

  * Added new command line flags to the firewall-blacklist script:
     --attempts - The number of failing attemps we need before blacklisting.
     --expire  - The number of days to keep blacklisted records.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 13:13:13 +0000

221
bytemark-vhost-firewall (20081117130218) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
222
223
224
225
226

  * Correctly ignore the .auto suffix when reloading the firewall.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 13:00:31 +0000

227
bytemark-vhost-firewall (20081117124948) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
228
229
230
231
232
233
234
235

  * The firewall-blacklist package will create blacklist entries with
    an .auto suffix.
  * The firewall package will recognise .auto as a valid blacklist
    suffix

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 12:55:21 +0000

236
bytemark-vhost-firewall (20081110153349) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
237
238
239
240
241

  * Install cron.d/ snippet to block dictionary attacks.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 17:48:00 +0000

242
bytemark-vhost-firewall (20081110153349) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
243
244
245
246
247

  * Remove denyhosts when we're present.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 17:27:27 +0000

248
bytemark-vhost-firewall (20081110153348) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
249
250
251
252
253

  * Only blacklist hosts which fail 5 times.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 17:14:15 +0000

254
bytemark-vhost-firewall (20081110153347) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
255
256
257
258
259

  * Conflict with denyhosts

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 16:50:16 +0000

260
bytemark-vhost-firewall (20081110153346) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
261
262
263
264
265
266

  * Correctly reject blacklisted IPs.
  * Replace the bytemark-vhost-ssh-protection.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 16:44:44 +0000

267
bytemark-vhost-firewall (20081110153345) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
268
269
270
271
272

  * Added 'firewall-blacklist' to blacklist hosts attacking SSH.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 16:33:33 +0000

273
bytemark-vhost-firewall (20081110153344) oldstable; urgency=low
Steve Kemp's avatar
Added  
Steve Kemp committed
274
275
276
277
278

  * The Bytemark Virtual Hosting Package bytemark-vhost-firewall
    - Support may be found at http://vhost.bytemark.co.uk/

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 10 Nov 2008 15:33:44 +0000