how uncover what start iptables?
I have disabled (not masked) iptables.service on F17 box. But occasionally are this services started. There isn't any record about it in system logs. Is there some (systemd native) manner how detect who start this service? (maybe via inotify tools I'm able detect access to "/etc/sysconfig/iptables", but this give no information about accessing process) Second question about iptables: Is there any replacement for "service iptables panic" command from old gold cheerful non-systemd days? Thank in advance, Franta Hanzlik -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: how uncover what start iptables?
Frantisek Hanzlik pise: > I have disabled (not masked) iptables.service on F17 box. > But occasionally are this services started. There isn't any > record about it in system logs. Is there some (systemd native) > manner how detect who start this service? > (maybe via inotify tools I'm able detect access to > "/etc/sysconfig/iptables", but this give no information about > accessing process) Try if grep -r Requires=iptables.service /lib/systemd can be of any help to you. > Second question about iptables: Is there any replacement for > "service iptables panic" command from old gold cheerful non-systemd days? Check /lib/systemd/system/iptables.service, you still may try /lib/systemd/system/iptables.service panic You can also prepare two sets of iptables with the default be ACCEPT and then switch between them with a simple command with flushing/renaming/adding a chain. -- --Zdenek Pytela, -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: how uncover what start iptables?
Zdenek Pytela wrote:
> Frantisek Hanzlik pise:
>> I have disabled (not masked) iptables.service on F17 box.
>> But occasionally are this services started. There isn't any
>> record about it in system logs. Is there some (systemd native)
>> manner how detect who start this service?
>> (maybe via inotify tools I'm able detect access to
>> "/etc/sysconfig/iptables", but this give no information about
>> accessing process)
> Try if
> grep -r Requires=iptables.service /lib/systemd
> can be of any help to you.
In /lib/systemd/ and /etc/systemd/ no service requires iptables.
("grep -r 'iptables\.service' /lib/systemd/* /etc/systemd/*" return
nothing)
>> Second question about iptables: Is there any replacement for
>> "service iptables panic" command from old gold cheerful non-systemd days?
> Check /lib/systemd/system/iptables.service, you still may try
> /lib/systemd/system/iptables.service panic
Although "/lib/systemd/system/iptables.service" has mode 0755, I think
this is only packager mistake - systemd units IMO surely aren't
executable scripts. But You perhaps meant "/usr/libexec/iptables.init"
script (which seems identical with original "/etc/rc.d/init.d/" one.
And yes, "/usr/libexec/iptables.init panic" works as before.
But pre-systemd location and use know all, this new none :(
> You can also prepare two sets of iptables with the default be ACCEPT
> and then switch between them with a simple command with
> flushing/renaming/adding
> a chain.
Yes, it is solution too; but I would like know when it has been solved
someway when this service was transferred to systemd.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: how uncover what start iptables?
how to unsubscribe from this mail listing? Please leave me alone.
On 11 September 2012 09:31, Frantisek Hanzlik wrote:
> Zdenek Pytela wrote:
> > Frantisek Hanzlik pise:
> >> I have disabled (not masked) iptables.service on F17 box.
> >> But occasionally are this services started. There isn't any
> >> record about it in system logs. Is there some (systemd native)
> >> manner how detect who start this service?
> >> (maybe via inotify tools I'm able detect access to
> >> "/etc/sysconfig/iptables", but this give no information about
> >> accessing process)
> > Try if
> > grep -r Requires=iptables.service /lib/systemd
> > can be of any help to you.
>
> In /lib/systemd/ and /etc/systemd/ no service requires iptables.
> ("grep -r 'iptables\.service' /lib/systemd/* /etc/systemd/*" return
> nothing)
>
> >> Second question about iptables: Is there any replacement for
> >> "service iptables panic" command from old gold cheerful non-systemd
> days?
> > Check /lib/systemd/system/iptables.service, you still may try
> > /lib/systemd/system/iptables.service panic
>
> Although "/lib/systemd/system/iptables.service" has mode 0755, I think
> this is only packager mistake - systemd units IMO surely aren't
> executable scripts. But You perhaps meant "/usr/libexec/iptables.init"
> script (which seems identical with original "/etc/rc.d/init.d/" one.
> And yes, "/usr/libexec/iptables.init panic" works as before.
> But pre-systemd location and use know all, this new none :(
>
>
> > You can also prepare two sets of iptables with the default be ACCEPT
> > and then switch between them with a simple command with
> flushing/renaming/adding
> > a chain.
>
> Yes, it is solution too; but I would like know when it has been solved
> someway when this service was transferred to systemd.
>
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
--
Yours,
Sophie
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Re: how uncover what start iptables?
On 09/11/2012 02:19 AM, Sophie Sperner wrote: how to unsubscribe from this mail listing? Please leave me alone. -- To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: how uncover what start iptables?
Frantisek Hanzlik pise:
> > Try if
> > grep -r Requires=iptables.service /lib/systemd
> > can be of any help to you.
>
> In /lib/systemd/ and /etc/systemd/ no service requires iptables.
> ("grep -r 'iptables\.service' /lib/systemd/* /etc/systemd/*" return
> nothing)
There is an inverse way as well, in iptables there are some WantedBy=
lines, follow them and they may lead you to the right source.
Unfortunately another way of start scripts invocation are through dbus.
You may also install graphviz and try
systemctl dot|dot -Tsvg > systemd.svg
but at my system the output look too complicated to find something.
> >> Second question about iptables: Is there any replacement for
> >> "service iptables panic" command from old gold cheerful non-systemd days?
> > Check /lib/systemd/system/iptables.service, you still may try
> > /lib/systemd/system/iptables.service panic
>
> Although "/lib/systemd/system/iptables.service" has mode 0755, I think
> this is only packager mistake - systemd units IMO surely aren't
> executable scripts. But You perhaps meant "/usr/libexec/iptables.init"
> script (which seems identical with original "/etc/rc.d/init.d/" one.
> And yes, "/usr/libexec/iptables.init panic" works as before.
You're right, sorry for the misclick.
> But pre-systemd location and use know all, this new none :(
Bash script/alias is a solution, isn't?
> > You can also prepare two sets of iptables with the default be ACCEPT
> > and then switch between them with a simple command with
> > flushing/renaming/adding
> > a chain.
>
> Yes, it is solution too; but I would like know when it has been solved
> someway when this service was transferred to systemd.
I don't really understand what you want to achieve, but this
solution I have found as the most suitable - you will still have default
iptables running and accepting what is very close to not running them,
and when you want to restrict network rules, you just switch to another
ruleset instead of starting.
--
--Zdenek Pytela,
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
