Possible bug with ntpd and Iptables
Nifty Hat Mitch
mitch48 at sbcglobal.net
Wed Sep 1 06:06:04 UTC 2004
On Tue, Aug 31, 2004 at 04:04:07PM -0400, Yang Xiao wrote:
> On Tue, 31 Aug 2004 15:41:35 -0400, Scot L. Harris <webid at cfl.rr.com> wrote:
> > I have noticed an anomaly with iptables and ntpd. During boot ntpd
> > opens up some ports in the firewall.
> >
> > If you stop and start iptables these ports are no longer open. I
....
> > Should this be reported in bugzilla or is there a logical reason things
> > are setup this way?
....
> The port is opened by the /etc/init.d/ntp script, this means you need
> to restart ntp after you restart iptables.
IMO it should be reported in bugzilla if only to
make it possible to Google the topic.
It makes sense to me that /etc/init.d/iptables should have some
awareness of applications that depend or are impacted on it and ntpd
seems to be just such a case. The list could be long expect the keepers
of iptables to not want to open the door to a flood.
Pseudo code might sound like: if iptables restart and if "chkconfig
ntpd" then /etc/init.d/ntpd restart.
Quick test...
# if chkconfig ntpd; then echo yea; fi
# if chkconfig ntp ; then echo yea; fi
Perhaps a config line in "/etc/sysconfig/${IPTABLES}-config"
Something like a default 'No' flag so the universe of users are not
confused.
#IPTABLES_RESTARTS_NTPD="No"
to manage this feature.
Anyhow think of the ways this could help and hurt get them in
the bug so it is clear what the value, risks and controls are.
Today, I only see firestarter, iptables, and ntpd as players in this today.
Do not ignore SELinux.... where the chain of necessary roles could prove
to be a problem.
--
T o m M i t c h e l l
Just say no to 74LS73 in 2004
More information about the fedora-list
mailing list