FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 09-06-2012, 10:32 AM
Frantisek Hanzlik
 
Default how uncover what start iptables?

I have disabled (not masked) iptables.service on F17 box.
But occasionally are this services started. There isn't any
record about it in system logs. Is there some (systemd native)
manner how detect who start this service?
(maybe via inotify tools I'm able detect access to
"/etc/sysconfig/iptables", but this give no information about
accessing process)

Second question about iptables: Is there any replacement for
"service iptables panic" command from old gold cheerful non-systemd days?

Thank in advance, Franta Hanzlik

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-10-2012, 07:51 AM
Zdenek Pytela
 
Default how uncover what start iptables?

Frantisek Hanzlik pise:
> I have disabled (not masked) iptables.service on F17 box.
> But occasionally are this services started. There isn't any
> record about it in system logs. Is there some (systemd native)
> manner how detect who start this service?
> (maybe via inotify tools I'm able detect access to
> "/etc/sysconfig/iptables", but this give no information about
> accessing process)
Try if
grep -r Requires=iptables.service /lib/systemd
can be of any help to you.

> Second question about iptables: Is there any replacement for
> "service iptables panic" command from old gold cheerful non-systemd days?
Check /lib/systemd/system/iptables.service, you still may try
/lib/systemd/system/iptables.service panic

You can also prepare two sets of iptables with the default be ACCEPT
and then switch between them with a simple command with flushing/renaming/adding
a chain.

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-11-2012, 08:31 AM
Frantisek Hanzlik
 
Default how uncover what start iptables?

Zdenek Pytela wrote:
> Frantisek Hanzlik pise:
>> I have disabled (not masked) iptables.service on F17 box.
>> But occasionally are this services started. There isn't any
>> record about it in system logs. Is there some (systemd native)
>> manner how detect who start this service?
>> (maybe via inotify tools I'm able detect access to
>> "/etc/sysconfig/iptables", but this give no information about
>> accessing process)
> Try if
> grep -r Requires=iptables.service /lib/systemd
> can be of any help to you.

In /lib/systemd/ and /etc/systemd/ no service requires iptables.
("grep -r 'iptables.service' /lib/systemd/* /etc/systemd/*" return
nothing)

>> Second question about iptables: Is there any replacement for
>> "service iptables panic" command from old gold cheerful non-systemd days?
> Check /lib/systemd/system/iptables.service, you still may try
> /lib/systemd/system/iptables.service panic

Although "/lib/systemd/system/iptables.service" has mode 0755, I think
this is only packager mistake - systemd units IMO surely aren't
executable scripts. But You perhaps meant "/usr/libexec/iptables.init"
script (which seems identical with original "/etc/rc.d/init.d/" one.
And yes, "/usr/libexec/iptables.init panic" works as before.
But pre-systemd location and use know all, this new none


> You can also prepare two sets of iptables with the default be ACCEPT
> and then switch between them with a simple command with flushing/renaming/adding
> a chain.

Yes, it is solution too; but I would like know when it has been solved
someway when this service was transferred to systemd.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-11-2012, 09:19 AM
Sophie Sperner
 
Default how uncover what start iptables?

how to unsubscribe from this mail listing? Please leave me alone.

On 11 September 2012 09:31, Frantisek Hanzlik <franta@hanzlici.cz> wrote:

Zdenek Pytela wrote:

> Frantisek Hanzlik pise:

>> I have disabled (not masked) iptables.service on F17 box.

>> But occasionally are this services started. There isn't any

>> record about it in system logs. Is there some (systemd native)

>> manner how detect who start this service?

>> (maybe via inotify tools I'm able detect access to

>> "/etc/sysconfig/iptables", but this give no information about

>> accessing process)

> Try if

> grep -r Requires=iptables.service /lib/systemd

> can be of any help to you.



In /lib/systemd/ and /etc/systemd/ no service requires iptables.

("grep -r 'iptables.service' /lib/systemd/* /etc/systemd/*" return

nothing)



>> Second question about iptables: Is there any replacement for

>> "service iptables panic" command from old gold cheerful non-systemd days?

> Check /lib/systemd/system/iptables.service, you still may try

> /lib/systemd/system/iptables.service panic



Although "/lib/systemd/system/iptables.service" has mode 0755, I think

this is only packager mistake - systemd units IMO surely aren't

executable scripts. But You perhaps meant "/usr/libexec/iptables.init"

script (which seems identical with original "/etc/rc.d/init.d/" one.

And yes, "/usr/libexec/iptables.init panic" works as before.

But pre-systemd location and use know all, this new none





> You can also prepare two sets of iptables with the default be ACCEPT

> and then switch between them with a simple command with flushing/renaming/adding

> a chain.



Yes, it is solution too; but I would like know when it has been solved

someway when this service was transferred to systemd.



--

users mailing list

users@lists.fedoraproject.org

To unsubscribe or change subscription options:

https://admin.fedoraproject.org/mailman/listinfo/users

Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Have a question? Ask away: http://ask.fedoraproject.org



--
Yours,
Sophie


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-11-2012, 05:41 PM
Mike Wright
 
Default how uncover what start iptables?

On 09/11/2012 02:19 AM, Sophie Sperner wrote:

how to unsubscribe from this mail listing? Please leave me alone.
--
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-17-2012, 07:18 AM
Zdenek Pytela
 
Default how uncover what start iptables?

Frantisek Hanzlik pise:
> > Try if
> > grep -r Requires=iptables.service /lib/systemd
> > can be of any help to you.
>
> In /lib/systemd/ and /etc/systemd/ no service requires iptables.
> ("grep -r 'iptables.service' /lib/systemd/* /etc/systemd/*" return
> nothing)
There is an inverse way as well, in iptables there are some WantedBy=
lines, follow them and they may lead you to the right source.
Unfortunately another way of start scripts invocation are through dbus.
You may also install graphviz and try
systemctl dot|dot -Tsvg > systemd.svg
but at my system the output look too complicated to find something.

> >> Second question about iptables: Is there any replacement for
> >> "service iptables panic" command from old gold cheerful non-systemd days?
> > Check /lib/systemd/system/iptables.service, you still may try
> > /lib/systemd/system/iptables.service panic
>
> Although "/lib/systemd/system/iptables.service" has mode 0755, I think
> this is only packager mistake - systemd units IMO surely aren't
> executable scripts. But You perhaps meant "/usr/libexec/iptables.init"
> script (which seems identical with original "/etc/rc.d/init.d/" one.
> And yes, "/usr/libexec/iptables.init panic" works as before.
You're right, sorry for the misclick.

> But pre-systemd location and use know all, this new none
Bash script/alias is a solution, isn't?

> > You can also prepare two sets of iptables with the default be ACCEPT
> > and then switch between them with a simple command with flushing/renaming/adding
> > a chain.
>
> Yes, it is solution too; but I would like know when it has been solved
> someway when this service was transferred to systemd.
I don't really understand what you want to achieve, but this
solution I have found as the most suitable - you will still have default
iptables running and accepting what is very close to not running them,
and when you want to restrict network rules, you just switch to another
ruleset instead of starting.

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 03:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org