From d1b9e71173cef86fab16258cf5dc72dcb2b9b244 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 26 May 2010 17:58:01 -0400
Subject: [PATCH 1/2] Adding arno-iptables-firewall (no deprecation of ipmasq
 per Joey Hess mentioning, which still could be used on lenny systems)

---
 debian/fail2ban.init | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/fail2ban.init b/debian/fail2ban.init
index 51b6f092..b0ed2c65 100755
--- a/debian/fail2ban.init
+++ b/debian/fail2ban.init
@@ -3,8 +3,8 @@
 # Provides:          fail2ban
 # Required-Start:    $local_fs $remote_fs
 # Required-Stop:     $local_fs $remote_fs
-# Should-Start:      $time $network $syslog iptables firehol shorewall ipmasq
-# Should-Stop:       $network $syslog iptables firehol shorewall ipmasq
+# Should-Start:      $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
+# Should-Stop:       $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start/stop fail2ban

From 833f60a38a4e457b33c8206cf2cad5bc3cd788aa Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 28 Jun 2010 21:45:47 -0400
Subject: [PATCH 2/2] Replacing word of caution with big fat warning and
 commenting out named-refused-udp completely (Closes: #583364)

---
 debian/jail.conf | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/debian/jail.conf b/debian/jail.conf
index ef4c7438..931db9af 100644
--- a/debian/jail.conf
+++ b/debian/jail.conf
@@ -262,17 +262,20 @@ logpath  = /var/log/mail.log
 #
 # in your named.conf to provide proper logging
 
-# Word of Caution:
-# Given filter can lead to DoS attack against your DNS server
-# since there is no way to assure that UDP packets come from the
-# real source IP
-[named-refused-udp]
-
-enabled  = false
-port     = domain,953
-protocol = udp
-filter   = named-refused
-logpath  = /var/log/named/security.log
+# !!! WARNING !!!
+#   Since UDP is connectionless protocol, spoofing of IP and immitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#[named-refused-udp]
+#
+#enabled  = false
+#port     = domain,953
+#protocol = udp
+#filter   = named-refused
+#logpath  = /var/log/named/security.log
 
 [named-refused-tcp]