Possible bug with ntpd and Iptables
Yang Xiao
yxiao2004 at gmail.com
Tue Aug 31 21:28:21 UTC 2004
On Tue, 31 Aug 2004 22:16:05 +0100, D. D. Brierton <darren at dzr-web.com> wrote:
> On Tue, 2004-08-31 at 21:29, Yang Xiao wrote:
>
> > Well, I guess you can call it a bug, but it's not difficult to do a
> > iptables-save > /etc/sysconfig/iptables or even manually add the ntp
> > rules to the iptables file
> > to permenantly store the ntp rules before you start to make changes so
> > that it won't get lost when you restart iptables?
>
> Yang, I think you're missing Scot's point. It's not about difficulty,
> it's about discoverability. Someone who has FC on a server that has
> quite long uptimes might be mystified as to why the clock is completely
> inaccurate despite their running ntpd because they didn't realise that
> restarting iptables had firewalled it off.
>
> I myself am happy for services to "punch holes" through the firewall
> when they start up as long as iptables is somehow made aware of this
> fact, so that if it has to be restarted it doesn't suddenly firewall all
> those services off.
>
> Best, Darren
>
as far as I'm aware of, this problem existed in RH9 or maybe even
earlier versions. I guess the ntp service start scripts was designed
to make life easier but created a situation where the user can lose
control when trying to customize.
As to the original post by Scott, I agree, It is a bug that there
isn't a hook in IPTABLES to check for what services needs to punch
holes when restarted. Mainly because they scripted in the service
startup scripts to do so. Otherwise, this is just a preference issue.
Yang
More information about the fedora-list
mailing list