On Tue, 31 Aug 2004 22:16:05 +0100, D. D. Brierton <darren@xxxxxxxxxxx> wrote: > On Tue, 2004-08-31 at 21:29, Yang Xiao wrote: > > > Well, I guess you can call it a bug, but it's not difficult to do a > > iptables-save > /etc/sysconfig/iptables or even manually add the ntp > > rules to the iptables file > > to permenantly store the ntp rules before you start to make changes so > > that it won't get lost when you restart iptables? > > Yang, I think you're missing Scot's point. It's not about difficulty, > it's about discoverability. Someone who has FC on a server that has > quite long uptimes might be mystified as to why the clock is completely > inaccurate despite their running ntpd because they didn't realise that > restarting iptables had firewalled it off. > > I myself am happy for services to "punch holes" through the firewall > when they start up as long as iptables is somehow made aware of this > fact, so that if it has to be restarted it doesn't suddenly firewall all > those services off. > > Best, Darren > as far as I'm aware of, this problem existed in RH9 or maybe even earlier versions. I guess the ntp service start scripts was designed to make life easier but created a situation where the user can lose control when trying to customize. As to the original post by Scott, I agree, It is a bug that there isn't a hook in IPTABLES to check for what services needs to punch holes when restarted. Mainly because they scripted in the service startup scripts to do so. Otherwise, this is just a preference issue. Yang
