On Wed, 2004-09-01 at 00:46, Mike Burger wrote: > On Tue, 31 Aug 2004, Scot L. Harris wrote: > > > On Tue, 2004-08-31 at 16:29, Yang Xiao wrote: > > > > > Well, I guess you can call it a bug, but it's not difficult to do a > > > iptables-save > /etc/sysconfig/iptables or even manually add the ntp > > > rules to the iptables file > > > to permenantly store the ntp rules before you start to make changes so > > > that it won't get lost when you restart iptables? > > > > > > Yang > > > > But if you put those rules in /etc/sysconfig/iptables when ntpd starts > > it inserts duplicate rules again. > > > > Does not work very smoothly. > > Really? I seem to recall iptables ignoring duplicated rules. Well the test I ran was: start system start iptables start ntpd save iptables manually stop iptables start iptables with saved info including ntp ports restart ntpd (second set of entries for ntp inserted in iptables) Would need to do more testing but unless the ntpd script parses the rules for similar settings there is nothing keeping you from inserting dozens of similar rules for the same service/port. Would it make sense? No. The first rule would be applied and the others would not be hit. I guess the point I am making is that this method of modifying iptables in other startup scripts is wrong and can lead to systems having problems, either services stop working because a change was made to iptables or a hole is created in the firewall without the knowledge of the admin creating a potential security issue. Most likely problem is a service such as ntp stops working correctly which results in clock drift which then affects some time based security/authentication applications (like RSA). The reason I raised the issue here was to make sure I was not missing anything and to issue a bug report on this potential problem. -- Scot L. Harris webid@xxxxxxxxxx The only two things that motivate me and that matter to me are revenge and guilt. -- Elvis Costello
