Merge branch 'debian' into debian-release

* debian:
  Replacing word of caution with big fat warning and commenting out named-refused-udp completely (Closes: #583364)
  Adding arno-iptables-firewall (no deprecation of ipmasq per Joey Hess mentioning, which still could be used on lenny systems)

debian/fail2ban.init

@@ -3,8 +3,8 @@
 # Provides:          fail2ban
 # Required-Start:    $local_fs $remote_fs
 # Required-Stop:     $local_fs $remote_fs
-# Should-Start:      $time $network $syslog iptables firehol shorewall ipmasq
+# Should-Start:      $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
-# Should-Stop:       $network $syslog iptables firehol shorewall ipmasq
+# Should-Stop:       $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start/stop fail2ban

debian/jail.conf

@@ -262,17 +262,20 @@ logpath  = /var/log/mail.log
 #
 # in your named.conf to provide proper logging
 
-# Word of Caution:
+# !!! WARNING !!!
-# Given filter can lead to DoS attack against your DNS server
+#   Since UDP is connectionless protocol, spoofing of IP and immitation
-# since there is no way to assure that UDP packets come from the
+#   of illegal actions is way too simple.  Thus enabling of this filter
-# real source IP
+#   might provide an easy way for implementing a DoS against a chosen
-[named-refused-udp]
+#   victim. See
-
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
-enabled  = false
+#   Please DO NOT USE this jail unless you know what you are doing.
-port     = domain,953
+#[named-refused-udp]
-protocol = udp
+#
-filter   = named-refused
+#enabled  = false
-logpath  = /var/log/named/security.log
+#port     = domain,953
+#protocol = udp
+#filter   = named-refused
+#logpath  = /var/log/named/security.log
 
 [named-refused-tcp]