On Tue, Aug 31, 2004 at 04:04:07PM -0400, Yang Xiao wrote:
On Tue, 31 Aug 2004 15:41:35 -0400, Scot L. Harris webid@cfl.rr.com wrote:
I have noticed an anomaly with iptables and ntpd. During boot ntpd opens up some ports in the firewall.
If you stop and start iptables these ports are no longer open. I
....
Should this be reported in bugzilla or is there a logical reason things are setup this way?
....
The port is opened by the /etc/init.d/ntp script, this means you need to restart ntp after you restart iptables.
IMO it should be reported in bugzilla if only to make it possible to Google the topic.
It makes sense to me that /etc/init.d/iptables should have some awareness of applications that depend or are impacted on it and ntpd seems to be just such a case. The list could be long expect the keepers of iptables to not want to open the door to a flood.
Pseudo code might sound like: if iptables restart and if "chkconfig ntpd" then /etc/init.d/ntpd restart.
Quick test... # if chkconfig ntpd; then echo yea; fi # if chkconfig ntp ; then echo yea; fi
Perhaps a config line in "/etc/sysconfig/${IPTABLES}-config" Something like a default 'No' flag so the universe of users are not confused. #IPTABLES_RESTARTS_NTPD="No" to manage this feature.
Anyhow think of the ways this could help and hurt get them in the bug so it is clear what the value, risks and controls are.
Today, I only see firestarter, iptables, and ntpd as players in this today. Do not ignore SELinux.... where the chain of necessary roles could prove to be a problem.