symbiosis-firewall (2010:1224) lenny; urgency=low * Whitelist hosts mentioned in /etc/hosts.allow. -- Steve Kemp Fri, 24 Dec 2010 11:52:00 +0000 symbiosis-firewall (2010:1109) oldstable; urgency=low * Always allow --flush to succeed. -- Steve Kemp Tue, 9 Nov 2010 17:18:19 +0000 symbiosis-firewall (2010:0915) oldstable; urgency=low * Don't re-run the firewall unless we've genuinely removed a whitelisted entry, or added a new one. -- Steve Kemp Wed, 15 Sep 2010 17:18:19 +0000 symbiosis-firewall (2010:0910) oldstable; urgency=low * Correctly process whitelisted IP addresses. * Expire whitelisted entries which are older than 8 days. * The blacklister will honour even auto-whitelisted IPs. * Updated to avoid issues with unused blacklist files. * Log firewall actions to a file, not to STDOUT/STDERR. - The logfiles are also used by the blacklist/whitelist components. * Lock the firewall to prevent multiple concurrent executions. * When blacklisting IPs count multiple destination port probes as equal. e.g. ssh + smtp failures are summed, not treated separately. -- Steve Kemp Fri, 10 Sep 2010 08:08:08 +0000 symbiosis-firewall (2010:0628) oldstable; urgency=low * Updated to use /etc/symbiosis/firewall as the prefix directory rather than /etc/firewall -- Steve Kemp Wed, 23 Jun 2010 10:20:30 +0000 symbiosis-firewall (2010:0604) oldstable; urgency=low [ Steve Kemp ] * Updated to provide a clean transition. * Updated the default location for the firewalls built-in rules * Updated so that the firewall rules use the correct direction. [ Patrick J Cherry ] * Switched to dpkg-source 3.0 (native) format -- Steve Kemp Thu, 03 Jun 2010 13:51:30 +0100 symbiosis-firewall (2010:0427) oldstable; urgency=low * Renamed the main package. - But still "Provide:" the old name. -- Steve Kemp Tue, 27 Apr 2010 16:00:16 +0000 bytemark-vhost-firewall (2010:0421) oldstable; urgency=low * Install a trivial manpage for `firewall-logtail`. -- Steve Kemp Wed, 21 Apr 2010 10:00:01 +0000 bytemark-vhost-firewall (2009:1126-1) oldstable; urgency=low * Avoid making rules specific to devices. -- Steve Kemp Thu, 26 Nov 2009 16:24:16 +0000 bytemark-vhost-firewall (2009:1021-1) oldstable; urgency=low * Correctly use the epoch. -- Steve Kemp Wed, 21 Oct 2009 16:51:16 +0000 bytemark-vhost-firewall (2009.1019-1) oldstable; urgency=low * Supply empty local.d/ and whitelist.d/ directories by default. * Log to syslog any IPs which we've temporarily blacklisted. -- Steve Kemp Mon, 19 Oct 2009 14:32:21 +0000 bytemark-vhost-firewall (2009:1009-1) oldstable; urgency=low * Our blacklist application now can block on a per-port basis, and will do so by default for OpenSSH. -- Steve Kemp Fri, 9 Oct 2009 12:44:21 +0000 bytemark-vhost-firewall (2009:0918-1) oldstable; urgency=low * We don't place a newline in .auto files generated by the blacklist script. Credit to Karl Dyson for the bug. -- Steve Kemp Fri, 18 Sep 2009 16:33:01 +0000 bytemark-vhost-firewall (2009:0916-1) oldstable; urgency=low * Blacklisting files now allow per-port blocks. -- Steve Kemp Tue, 16 Sep 2009 10:15:01 +0000 bytemark-vhost-firewall (20090901095146) oldstable; urgency=low * Skip "tun" devices. -- Steve Kemp Tue, 1 Sep 2009 09:51:46 +0000 bytemark-vhost-firewall (20090825102446) oldstable; urgency=low * Duplicate IPv4 rules onto IPv6 if such support is enabled. -- Steve Kemp Tue, 25 Aug 2009 10:24:46 +0000 bytemark-vhost-firewall (20090812171748) oldstable; urgency=low * Correctly handle mis-named blacklisted files. -- Steve Kemp Wed, 12 Aug 2009 17:17:48 +0000 bytemark-vhost-firewall (20090812162548) oldstable; urgency=low * Remove active blacklist entries for IPs which are subsequently whitelisted. -- Steve Kemp Wed, 12 Aug 2009 16:25:48 +0000 bytemark-vhost-firewall (20090731104804) oldstable; urgency=low * If the firewall-blacklist program is disabled then reload the firewall prior to exiting - to flush out bogus entries. * Added the "logtail" script from the Debian logcheck package so that we only process new entries. * Changed our cronjob so that we run every 15 minutes not every 5. -- Steve Kemp Fri, 31 Jul 2009 10:48:04 +0000 bytemark-vhost-firewall (20090707153244) oldstable; urgency=low * Per-Lenny vhost repository, rather than branches -- Steve Kemp Tue, 7 Jul 2009 15:32:44 +0000 bytemark-vhost-firewall (20090522105210) oldstable; urgency=low * New release for Lenny. -- Steve Kemp Fri, 22 May 2009 10:52:10 +0000 bytemark-vhost-firewall (20091505152733) oldstable; urgency=low * Build-depend upon Ruby. * Use the correct pathname in /etc/cron.d/firewall-blocker. -- Steve Kemp Fri, 15 May 2009 15:27:33 +0000 bytemark-vhost-firewall (20081119130025) oldstable; urgency=low * depend upon iproute. * Attempt to find network devices dynamically -- Steve Kemp Tue, 18 Nov 2008 13:00:25 +0000 bytemark-vhost-firewall (20081118120409) oldstable; urgency=low * New installs will have 00-related by default. * Load the ip_conntrack modules if available. -- Steve Kemp Tue, 18 Nov 2008 12:04:04 +0000 bytemark-vhost-firewall (20081118095920) oldstable; urgency=low * The "N-allow" rule is now correct. -- Steve Kemp Tue, 18 Nov 2008 09:59:20 +0000 bytemark-vhost-firewall (20081117173759) oldstable; urgency=low * Create the blacklist directory if it is missing. * Add manpage for the firewall-blacklist script. * Never blacklist 127.* * Allow the blacklister to be disabled distinctly from the firewall. -- Steve Kemp Mon, 17 Nov 2008 17:37:59 +0000 bytemark-vhost-firewall (20081117171938) oldstable; urgency=low * If a named logfile doesn't exist we abort. -- Steve Kemp Mon, 17 Nov 2008 17:19:19 +0000 bytemark-vhost-firewall (20081117171455) oldstable; urgency=low * New format for blacklist patterns. -- Steve Kemp Mon, 17 Nov 2008 17:17:17 +0000 bytemark-vhost-firewall (20081117154411) oldstable; urgency=low * If the firewall has been disabled then the blacklisting script is also disabled. -- Steve Kemp Mon, 17 Nov 2008 15:44:44 +0000 bytemark-vhost-firewall (20081117132150) oldstable; urgency=low * Be more strict about deleting our temporary firewall script. -- Steve Kemp Mon, 17 Nov 2008 13:21:50 +0000 bytemark-vhost-firewall (20081117131248) oldstable; urgency=low * Added new command line flags to the firewall-blacklist script: --attempts - The number of failing attemps we need before blacklisting. --expire - The number of days to keep blacklisted records. -- Steve Kemp Mon, 17 Nov 2008 13:13:13 +0000 bytemark-vhost-firewall (20081117130218) oldstable; urgency=low * Correctly ignore the .auto suffix when reloading the firewall. -- Steve Kemp Mon, 17 Nov 2008 13:00:31 +0000 bytemark-vhost-firewall (20081117124948) oldstable; urgency=low * The firewall-blacklist package will create blacklist entries with an .auto suffix. * The firewall package will recognise .auto as a valid blacklist suffix -- Steve Kemp Mon, 17 Nov 2008 12:55:21 +0000 bytemark-vhost-firewall (20081110153349) oldstable; urgency=low * Install cron.d/ snippet to block dictionary attacks. -- Steve Kemp Fri, 14 Nov 2008 17:48:00 +0000 bytemark-vhost-firewall (20081110153349) oldstable; urgency=low * Remove denyhosts when we're present. -- Steve Kemp Fri, 14 Nov 2008 17:27:27 +0000 bytemark-vhost-firewall (20081110153348) oldstable; urgency=low * Only blacklist hosts which fail 5 times. -- Steve Kemp Fri, 14 Nov 2008 17:14:15 +0000 bytemark-vhost-firewall (20081110153347) oldstable; urgency=low * Conflict with denyhosts -- Steve Kemp Fri, 14 Nov 2008 16:50:16 +0000 bytemark-vhost-firewall (20081110153346) oldstable; urgency=low * Correctly reject blacklisted IPs. * Replace the bytemark-vhost-ssh-protection. -- Steve Kemp Fri, 14 Nov 2008 16:44:44 +0000 bytemark-vhost-firewall (20081110153345) oldstable; urgency=low * Added 'firewall-blacklist' to blacklist hosts attacking SSH. -- Steve Kemp Fri, 14 Nov 2008 16:33:33 +0000 bytemark-vhost-firewall (20081110153344) oldstable; urgency=low * The Bytemark Virtual Hosting Package bytemark-vhost-firewall - Support may be found at http://vhost.bytemark.co.uk/ -- Steve Kemp Mon, 10 Nov 2008 15:33:44 +0000