symbiosis-firewall (2017:0901) stable; urgency=medium

  * Removed default install of reject-www-data rule.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Fri, 01 Sep 2017 15:17:19 +0100

symbiosis-firewall (2017:0510) stable; urgency=medium

  * Store monit configuration in /usr/share instead of /etc. Use symlinks to
    allow users to enable/disable but discourage editing

 -- Telyn <telyn@bytemark.co.uk>  Wed, 10 May 2017 13:42:15 +0100

symbiosis-firewall (2017:0424) stable; urgency=medium

  * Updated monit scripts to work with systemd.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Mon, 24 Apr 2017 14:40:11 +0100

symbiosis-firewall (2015:1024) stable; urgency=medium

  * Ensure manpages are generated as part of the build task.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Thu, 06 Jul 2017 16:07:35 +0100

symbiosis-firewall (2015:1023) stable; urgency=medium

  * Updated code to work with the new version of symbiosis-common. 

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Thu, 14 Jan 2016 16:42:37 +0000

symbiosis-firewall (2015:1022) stable; urgency=medium

  * Make sure firewall rules for all addresses are applied properly.
  * Fixed two cases of overly verbose output, one from testing to see if the
    nat table exists, and the other parsing IP addresses.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Thu, 22 Oct 2015 16:57:36 +0100

symbiosis-firewall (2015:1009) stable; urgency=medium

  * Changed REJECT target to send back a tcp-reset packet for TCP connections.
  * Only flush nat table if it exists.
  * Rejigged DNS resolution code not to barf if DNS is unavailable.
  * Added basic SYN-ACK/ACK flood protection.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Fri, 09 Oct 2015 17:00:10 +0100

symbiosis-firewall (2015:0617) stable; urgency=medium

  * Changed File#exists? to File#exist? everywhere.
  * Added high numbered port range for passive FTP + TLS.
  * Now all tables (filter, nat, raw) are flushed.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Wed, 17 Jun 2015 10:22:48 +0100

symbiosis-firewall (2015:0128) stable; urgency=medium

  * Updated the Debian standards.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 28 Jan 2015 09:55:09 +0000

symbiosis-firewall (2014:1111) stable; urgency=medium

  * Updated postinst not to use scripts with paths.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Fri, 07 Aug 2015 21:36:28 +0100

symbiosis-firewall (2014:1110) stable; urgency=medium

  * Make sure firewall patterns are anchored at one end.
  * Ignore .dpkg-* files in directories.
  * Sanitise log lines to prevent bad UTF causing problems.

 -- James Carter <jcarter@bytemark.co.uk>  Mon, 10 Nov 2014 10:57:26 +0000

symbiosis-firewall (2014:0313) stable; urgency=medium

  * Make sure the firewall load script has sbin in its path.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Thu, 13 Mar 2014 16:09:07 +0000

symbiosis-firewall (2014:0226) stable; urgency=low

  * Tidied up the postinstall for the better, I hope.
  * Removed preinst.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Wed, 26 Feb 2014 15:54:58 +0000

symbiosis-firewall (2014:0218) stable; urgency=low

  * Updated postinst to chown the firewall directory to admin:admin, rather
    than 1000:1000.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Tue, 18 Feb 2014 13:16:33 +0000

symbiosis-firewall (2014:0217) stable; urgency=low

  * Removed old lenny command symlinks.
  * Removed extra spaces from incron.d snippet.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Mon, 17 Feb 2014 11:58:29 +0000

symbiosis-firewall (2014:0214) stable; urgency=low

  * Removed DH_VERBOSE flag in rules.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Fri, 14 Feb 2014 13:11:04 +0000

symbiosis-firewall (2014:0211) stable; urgency=low

  * Removed comments in incron.d snippet.
  * Updated db libraries to fix warnings.
  * Empty hostnames/ports are now ignored.
  * Added more tests to IPDirectory class.
  * Accept service names in blacklist files.
  * Added bug control.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Tue, 11 Feb 2014 15:24:03 +0000

symbiosis-firewall (2014:0116) stable; urgency=low

  * Updated incrond to use /usr/bin/ruby
  * Fixed missing variable in symbiosis-firewall-whitelist.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Thu, 16 Jan 2014 16:39:12 +0000

symbiosis-firewall (2014:0113) stable; urgency=low

  * Updated dependencies.
  * Updateded maintainer and uploaders.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Mon, 13 Jan 2014 17:05:58 +0000

symbiosis-firewall (2013:0711) stable; urgency=low

  * Changing build tag + added ruby1.8 dependency.

 -- John Hackett <jhackett@maker.sh.bytemark.co.uk>  Thu, 11 Jul 2013 15:12:37 +0100

symbiosis-firewall (2013:0611) stable; urgency=low

  * Configure the firewall not to run duing ifup/down if the interface is the
    "lo" loopback interface.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Tue, 11 Jun 2013 16:34:16 +0100

symbiosis-firewall (2013:0610) oldstable; urgency=low

  * Fixed disabling white/blacklist functionality.
  * Changed blacklist to drop rather than reject connections.
  * Blacklist limits are now 100/24h or 25 since last run.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Mon, 10 Jun 2013 14:31:48 +0100

symbiosis-firewall (2012:0418) oldstable; urgency=low

  * Symbiosis::Firewall::Template#to_s no longer tries to interpolate / strip
    $ variables in comment lines.
  * Fixed spelling error in symbiosis-firewall

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Wed, 18 Apr 2012 15:40:15 +0100

symbiosis-firewall (2012:0308) stable; urgency=low

  * Updated reject-www-data rule to create its own chain, ensuring that the
    rule will work for multiple addresses.
  * Allow www-data to do DNS resolution.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Thu, 08 Mar 2012 07:13:05 +0000

symbiosis-firewall (2012:0302) stable; urgency=low

  * Removed useless dependency on lockfile-progs.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Fri, 02 Mar 2012 10:17:55 +0000

symbiosis-firewall (2012:0301) stable; urgency=low

  * Added lockfile checking to symbiosis-firewall.
  * Redirect modprobe stderr to /dev/null
  * Removed chown admin:admin in firewall script to avoid triggering incrond
    whilst running.
  * Updated postinst to remove duff firewall-blocker cronjob
  * Updated postinst not to flush and then load (no longer needed).

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Thu, 01 Mar 2012 16:05:35 +0000

symbiosis-firewall (2012:0223) stable; urgency=low

  * Fixed typo in symbiosis-firewall-blacklist which caused the expiration of
    old entries to fail.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Wed, 22 Feb 2012 22:43:27 +0000

symbiosis-firewall (2012:0222) stable; urgency=low

  * Fixed firewall tests to work.
  * Updated copyright dates.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Wed, 22 Feb 2012 14:16:39 +0000

symbiosis-firewall (2012:0221) stable; urgency=low

  * Firewall black/whitelists now log to syslog.
  * Whitelist interacts better with incron.
  * Firewall scripts now use consistent "disabled" flags.
  * symbiosis-firewall can now flush, even if the disabled flag is in place.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Tue, 21 Feb 2012 12:15:11 +0000

symbiosis-firewall (2012:0215) stable; urgency=low

  * Renamed match-uid-not-www-data to reject-www-data for sanity.
  * Removed default 99-reject rule for outgoing.
  * Added --flush flag which sets the action to "flush".
  * Made sure that there are no duplicate addresses passed to templates.
  * Made sure that DNS lookups are not done when checking to see if
    white/blacklists exist -- this speeds things up.
  * Now use incron to process firewall changes.
  * Added check for "disabled" files to firewall.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Mon, 20 Feb 2012 14:06:01 +0000

symbiosis-firewall (2012:0208) stable; urgency=low

  * Updated debian control files to fix lintian errors
  * Updated debian control files to use relationships properly, as per section 7.6
  * Updated Symbiosis::Firewall API docs.
  * Specified ruby1.8 for firewall package
  * Removed old cron firewall-test if present.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Tue, 07 Feb 2012 17:16:05 +0000

symbiosis-firewall (2012:0201) stable; urgency=low

  * Firewall is now called when interfaces go up and down.
  * Firewall can now be called with -4 and -6 flags for ipv4/6 only
    invocations.
  * Fixed bug whereby an "accept all" rule was inserted when templates, ports
    or services could not be found.
  * Added more directories to the default search path.
  * Added check to make sure unused variables are removed from legacy
    templates.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Fri, 27 Jan 2012 16:09:59 +0000

symbiosis-firewall (2012:0124) stable; urgency=low

  * Set symbiosis-firewall-whitelist to execute its script and then delete by
    default.
  * Set symbiosis-firewall-blacklist to execute its script and then delete by
    default.
  * Updated firewall blacklist to handle errors betterly.
  * Fixed typo in symbiosis-firewall-blacklist which stopped it working.
  * Fixed blacklist test
  * Added firewall tests to test suite and fixed firewall test.d install location.
  * Updated firewall tests to be quieter.
  * Updated utmp test to check for gcc and /usr/include/pwd.h before starting.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Tue, 24 Jan 2012 17:34:27 +0000

symbiosis-firewall (2012:0117) stable; urgency=low

  * Added rescue block to show help when parsing options in
    symbiosis-blacklist/whitelist

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Tue, 17 Jan 2012 17:00:02 +0000

symbiosis-firewall (2012:0111) stable; urgency=low

  * Default to deleting the firewall when adding new whitelist
    entries.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 11 Jan 2012 12:29:21 +0000

symbiosis-firewall (2011:1214) stable; urgency=low

  * New standards version
  * Fixed path in symbiosis-firewall-white/blacklist
  * Moved ipaddr library to common

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Wed, 14 Dec 2011 21:12:30 +0000

symbiosis-firewall (2011:1206) stable; urgency=low

  * Tidied packaging, and removed old perl scripts.
  * Added black and whitelist generation to ruby
  * Added verbose flag to bash scripts
  * Improved man pages
  * Updated standards version (no changes).

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Tue, 06 Dec 2011 16:14:25 +0000

symbiosis-firewall (2011:1202) stable; urgency=low

  * Rewrite into ruby.

 -- Patrick J Cherry <patrick@bytemark.co.uk>  Fri, 02 Dec 2011 18:16:02 +0000

symbiosis-firewall (2010:1224) stable; urgency=low

  * Whitelist hosts mentioned in /etc/hosts.allow.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 24 Dec 2010 11:52:00 +0000

symbiosis-firewall (2010:1109) stable; urgency=low

  * Always allow --flush to succeed.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 9 Nov 2010 17:18:19 +0000

symbiosis-firewall (2010:0915) stable; urgency=low

  * Don't re-run the firewall unless we've genuinely removed
    a whitelisted entry, or added a new one.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 15 Sep 2010 17:18:19 +0000

symbiosis-firewall (2010:0910) stable; urgency=low

  * Correctly process whitelisted IP addresses.
  * Expire whitelisted entries which are older than 8 days.
  * The blacklister will honour even auto-whitelisted IPs.
  * Updated to avoid issues with unused blacklist files.
  * Log firewall actions to a file, not to STDOUT/STDERR.
    - The logfiles are also used by the blacklist/whitelist components.
  * Lock the firewall to prevent multiple concurrent executions.
  * When blacklisting IPs count multiple destination port probes
    as equal.  e.g. ssh + smtp failures are summed, not treated separately.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 10 Sep 2010 08:08:08 +0000

symbiosis-firewall (2010:0628) stable; urgency=low

  * Updated to use /etc/symbiosis/firewall as the prefix
    directory rather than /etc/firewall

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 23 Jun 2010 10:20:30 +0000

symbiosis-firewall (2010:0604) stable; urgency=low

  [ Steve Kemp ]
  * Updated to provide a clean transition.
  * Updated the default location for the firewalls built-in rules
  * Updated so that the firewall rules use the correct direction.

  [ Patrick J Cherry ]
  * Switched to dpkg-source 3.0 (native) format

 -- Steve Kemp <steve@bytemark.co.uk>  Thu, 03 Jun 2010 13:51:30 +0100

symbiosis-firewall (2010:0427) stable; urgency=low

  * Renamed the main package.
    - But still "Provide:" the old name.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 27 Apr 2010 16:00:16 +0000

bytemark-vhost-firewall (2010:0421) stable; urgency=low

  * Install a trivial manpage for `firewall-logtail`.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 21 Apr 2010 10:00:01 +0000

bytemark-vhost-firewall (2009:1126-1) stable; urgency=low

  * Avoid making rules specific to devices.

 -- Steve Kemp <steve@bytemark.co.uk>  Thu, 26 Nov 2009 16:24:16 +0000

bytemark-vhost-firewall (2009:1021-1) stable; urgency=low

  * Correctly use the epoch.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 21 Oct 2009 16:51:16 +0000

bytemark-vhost-firewall (2009.1019-1) stable; urgency=low

  * Supply empty local.d/ and whitelist.d/ directories by default.
  * Log to syslog any IPs which we've temporarily blacklisted.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 19 Oct 2009 14:32:21 +0000

bytemark-vhost-firewall (2009:1009-1) stable; urgency=low

  * Our blacklist application now can block on a per-port basis, and
    will do so by default for OpenSSH.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 9 Oct 2009 12:44:21 +0000

bytemark-vhost-firewall (2009:0918-1) stable; urgency=low

  * We don't place a newline in .auto files generated by the blacklist
    script.  Credit to Karl Dyson for the bug.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 18 Sep 2009 16:33:01 +0000

bytemark-vhost-firewall (2009:0916-1) stable; urgency=low

  * Blacklisting files now allow per-port blocks.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 16 Sep 2009 10:15:01 +0000

bytemark-vhost-firewall (20090901095146) stable; urgency=low

  * Skip "tun" devices.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 1 Sep 2009 09:51:46 +0000

bytemark-vhost-firewall (20090825102446) stable; urgency=low

  * Duplicate IPv4 rules onto IPv6 if such support is enabled.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 25 Aug 2009 10:24:46 +0000

bytemark-vhost-firewall (20090812171748) stable; urgency=low

  * Correctly handle mis-named blacklisted files.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 12 Aug 2009 17:17:48 +0000

bytemark-vhost-firewall (20090812162548) stable; urgency=low

  * Remove active blacklist entries for IPs which are subsequently
    whitelisted.

 -- Steve Kemp <steve@bytemark.co.uk>  Wed, 12 Aug 2009 16:25:48 +0000

bytemark-vhost-firewall (20090731104804) stable; urgency=low

  * If the firewall-blacklist program is disabled then reload the
    firewall prior to exiting - to flush out bogus entries.
  * Added the "logtail" script from the Debian logcheck package so
    that we only process new entries.
  * Changed our cronjob so that we run every 15 minutes not every 5.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 31 Jul 2009 10:48:04 +0000

bytemark-vhost-firewall (20090707153244) stable; urgency=low

  * Per-Lenny vhost repository, rather than branches

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 7 Jul 2009 15:32:44 +0000

bytemark-vhost-firewall (20090522105210) stable; urgency=low

  * New release for Lenny.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 22 May 2009 10:52:10 +0000

bytemark-vhost-firewall (20091505152733) stable; urgency=low

  * Build-depend upon Ruby.
  * Use the correct pathname in /etc/cron.d/firewall-blocker.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 15 May 2009 15:27:33 +0000

bytemark-vhost-firewall (20081119130025) stable; urgency=low

  * depend upon iproute.
  * Attempt to find network devices dynamically

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 18 Nov 2008 13:00:25 +0000

bytemark-vhost-firewall (20081118120409) stable; urgency=low

  * New installs will have 00-related by default.
  * Load the ip_conntrack modules if available.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 18 Nov 2008 12:04:04 +0000

bytemark-vhost-firewall (20081118095920) stable; urgency=low

  * The "N-allow" rule is now correct.

 -- Steve Kemp <steve@bytemark.co.uk>  Tue, 18 Nov 2008 09:59:20 +0000

bytemark-vhost-firewall (20081117173759) stable; urgency=low

  * Create the blacklist directory if it is missing.
  * Add manpage for the firewall-blacklist script.
  * Never blacklist 127.*
  * Allow the blacklister to be disabled distinctly from the firewall.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 17:37:59 +0000

bytemark-vhost-firewall (20081117171938) stable; urgency=low

  * If a named logfile doesn't exist we abort.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 17:19:19 +0000

bytemark-vhost-firewall (20081117171455) stable; urgency=low

  * New format for blacklist patterns.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 17:17:17 +0000

bytemark-vhost-firewall (20081117154411) stable; urgency=low

  * If the firewall has been disabled then the blacklisting script is
    also disabled.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 15:44:44 +0000

bytemark-vhost-firewall (20081117132150) stable; urgency=low

  * Be more strict about deleting our temporary firewall script.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 13:21:50 +0000

bytemark-vhost-firewall (20081117131248) stable; urgency=low

  * Added new command line flags to the firewall-blacklist script:
     --attempts - The number of failing attemps we need before blacklisting.
     --expire  - The number of days to keep blacklisted records.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 13:13:13 +0000

bytemark-vhost-firewall (20081117130218) stable; urgency=low

  * Correctly ignore the .auto suffix when reloading the firewall.

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 13:00:31 +0000

bytemark-vhost-firewall (20081117124948) stable; urgency=low

  * The firewall-blacklist package will create blacklist entries with
    an .auto suffix.
  * The firewall package will recognise .auto as a valid blacklist
    suffix

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 17 Nov 2008 12:55:21 +0000

bytemark-vhost-firewall (20081110153349) stable; urgency=low

  * Install cron.d/ snippet to block dictionary attacks.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 17:48:00 +0000

bytemark-vhost-firewall (20081110153349) stable; urgency=low

  * Remove denyhosts when we're present.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 17:27:27 +0000

bytemark-vhost-firewall (20081110153348) stable; urgency=low

  * Only blacklist hosts which fail 5 times.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 17:14:15 +0000

bytemark-vhost-firewall (20081110153347) stable; urgency=low

  * Conflict with denyhosts

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 16:50:16 +0000

bytemark-vhost-firewall (20081110153346) stable; urgency=low

  * Correctly reject blacklisted IPs.
  * Replace the bytemark-vhost-ssh-protection.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 16:44:44 +0000

bytemark-vhost-firewall (20081110153345) stable; urgency=low

  * Added 'firewall-blacklist' to blacklist hosts attacking SSH.

 -- Steve Kemp <steve@bytemark.co.uk>  Fri, 14 Nov 2008 16:33:33 +0000

bytemark-vhost-firewall (20081110153344) stable; urgency=low

  * The Bytemark Virtual Hosting Package bytemark-vhost-firewall
    - Support may be found at http://vhost.bytemark.co.uk/

 -- Steve Kemp <steve@bytemark.co.uk>  Mon, 10 Nov 2008 15:33:44 +0000
