Possible bug with ntpd and Iptables

Scot L. Harris webid at cfl.rr.com
Wed Sep 1 00:56:33 UTC 2004 

On Tue, 2004-08-31 at 17:28, Yang Xiao wrote:
> On Tue, 31 Aug 2004 22:16:05 +0100, D. D. Brierton <darren at dzr-web.com> wrote:
> > On Tue, 2004-08-31 at 21:29, Yang Xiao wrote:
> > 
> > > Well, I guess you can call it a bug, but it's not difficult to do a
> > > iptables-save > /etc/sysconfig/iptables or even manually add the ntp
> > > rules to the iptables file
> > > to permenantly store the ntp rules before you start to make changes so
> > > that it won't get lost when you restart iptables?
> > 
> > Yang, I think you're missing Scot's point. It's not about difficulty,
> > it's about discoverability. Someone who has FC on a server that has
> > quite long uptimes might be mystified as to why the clock is completely
> > inaccurate despite their running ntpd because they didn't realise that
> > restarting iptables had firewalled it off.
> > 
> > I myself am happy for services to "punch holes" through the firewall
> > when they start up as long as iptables is somehow made aware of this
> > fact, so that if it has to be restarted it doesn't suddenly firewall all
> > those services off.
> > 
> > Best, Darren
> > 
> as far as I'm aware of, this problem existed in RH9 or maybe even
> earlier versions. I guess the ntp service start scripts was designed
> to make life easier but created a situation where the user can lose
> control when trying to customize.
> As to the original post by Scott, I agree, It is a bug that there
> isn't a hook in IPTABLES to check for what services needs to punch
> holes when restarted. Mainly because they scripted in the service
> startup scripts to do so. Otherwise, this is just a preference issue.
> 
> Yang

Personally I think it is wrong to have another services startup script
make changes to iptables.  If a service needs a hole in the firewall
then that should be documented so the admin can apply the change to
iptables.  Short term this is the best solution.  Longer term something
that lets iptables identify such requirements and control them when you
start and stop iptables would be good.

-- 
Scot L. Harris
webid at cfl.rr.com

You've been Berkeley'ed!

More information about the users mailing list