On Tue, 2004-08-31 at 17:28, Yang Xiao wrote:
On Tue, 31 Aug 2004 22:16:05 +0100, D. D. Brierton
> On Tue, 2004-08-31 at 21:29, Yang Xiao wrote:
> > Well, I guess you can call it a bug, but it's not difficult to do a
> > iptables-save > /etc/sysconfig/iptables or even manually add the ntp
> > rules to the iptables file
> > to permenantly store the ntp rules before you start to make changes so
> > that it won't get lost when you restart iptables?
> Yang, I think you're missing Scot's point. It's not about difficulty,
> it's about discoverability. Someone who has FC on a server that has
> quite long uptimes might be mystified as to why the clock is completely
> inaccurate despite their running ntpd because they didn't realise that
> restarting iptables had firewalled it off.
> I myself am happy for services to "punch holes" through the firewall
> when they start up as long as iptables is somehow made aware of this
> fact, so that if it has to be restarted it doesn't suddenly firewall all
> those services off.
> Best, Darren
as far as I'm aware of, this problem existed in RH9 or maybe even
earlier versions. I guess the ntp service start scripts was designed
to make life easier but created a situation where the user can lose
control when trying to customize.
As to the original post by Scott, I agree, It is a bug that there
isn't a hook in IPTABLES to check for what services needs to punch
holes when restarted. Mainly because they scripted in the service
startup scripts to do so. Otherwise, this is just a preference issue.
Personally I think it is wrong to have another services startup script
make changes to iptables. If a service needs a hole in the firewall
then that should be documented so the admin can apply the change to
iptables. Short term this is the best solution. Longer term something
that lets iptables identify such requirements and control them when you
start and stop iptables would be good.
Scot L. Harris
You've been Berkeley'ed!