[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How do packages that modify iptables rules prevent race conditions?

Le 12/11/2015 20:47, Pascal Hambourg a écrit :
> Patrick Schleizer a écrit :
>> as I just learned on the mailing list, that at least the packages
>> fail2ban and miniupnpd [and most likely arno-iptables-firewall also]
>> modify iptables rules...
> Firewall managers such as ufw, shorewall, firestarter...
> Custom iptables scripts.
> IDS such as portsentry.
> "Port knocking" daemons such as knockd.
>> Is there a chance for race conditions?
> Plenty.
>> I.e. two packages trying to add
>> iptables rules at the same time and thereby failing to do so?
> Yes, or mixing up their rules resulting in unpredictable results.
>> What is the proper mechanism to add iptables rules [for packages] to
>> avoid such race conditions?
>> Is using 'iptables --wait' sufficient or something else?
> No it's not. You must also make sure that the rules created by each
> program don't disrupt the rules created by the others.

For fail2ban I prefer to use ipset and only modify the blocked set
without changing the rules themselves

Reply to: