:: Re: [DNG] Upgrade to Beowulf: iptab…
Startseite
Nachricht löschen
Nachricht beantworten
Autor: Ludovic Bellière
Datum:  
To: dng
Betreff: Re: [DNG] Upgrade to Beowulf: iptables
Hello kendall.

Running processes aren't stopped (restarted) until the new binaries are
available, so your machine was still behind a firewall if rules were
applied before the upgrade. iptables, ip6tables, and other alternatives
serves as interface to the Netfilter packet filtering framework found in
the kernel, the absence of such commands does not make the kernel unsafe.

Cheers,

Ludovic

On 20/07/20 10:46, fraser kendall wrote:
> I have upgraded several machines to Beowulf over the last few months.
> It has only once been problematic, but that was probably due to student
> error. However, there is an ongoing issue with the upgrade to
> iptables-nft so before starting the upgrade I opened a separate
> terminal and issued # watch iptables -L. I expected to see the existing
> tables overwritten with the default (ACCEPT everything and anything)
> and was ready to issue a prompt # iptables-restore < /existing/rule/set
>
> However, what I was not prepared for was to see that, during the
> download process and before the upgraded iptables package was
> installed, the 'watching' terminal suddenly report that the iptables
> command couldn't be found. It was over 5 minutes before the watching
> terminal reported the expected 'upgraded' ruleset. I have two
> questions.
>
> 1) Does this mean that during the upgrade process to Beowulf, there is
> a minutes-long window during which the machine has no firewall at all?
>
> 2) Is this sufficiently alarming as to constitute a bug?
>
> Best wishes
>
> fraser
>
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>