Re: Possible bug with ntpd and Iptables

[Yang Xiao <yxiao2004 gmail com>]

On Tue, 31 Aug 2004 22:16:05 +0100, D. D. Brierton <darren dzr-web com> wrote:
> On Tue, 2004-08-31 at 21:29, Yang Xiao wrote:
> 
> > Well, I guess you can call it a bug, but it's not difficult to do a
> > iptables-save > /etc/sysconfig/iptables or even manually add the ntp
> > rules to the iptables file
> > to permenantly store the ntp rules before you start to make changes so
> > that it won't get lost when you restart iptables?
> 
> Yang, I think you're missing Scot's point. It's not about difficulty,
> it's about discoverability. Someone who has FC on a server that has
> quite long uptimes might be mystified as to why the clock is completely
> inaccurate despite their running ntpd because they didn't realise that
> restarting iptables had firewalled it off.
> 
> I myself am happy for services to "punch holes" through the firewall
> when they start up as long as iptables is somehow made aware of this
> fact, so that if it has to be restarted it doesn't suddenly firewall all
> those services off.
> 
> Best, Darren
> 
as far as I'm aware of, this problem existed in RH9 or maybe even
earlier versions. I guess the ntp service start scripts was designed
to make life easier but created a situation where the user can lose
control when trying to customize.
As to the original post by Scott, I agree, It is a bug that there
isn't a hook in IPTABLES to check for what services needs to punch
holes when restarted. Mainly because they scripted in the service
startup scripts to do so. Otherwise, this is just a preference issue.

Yang