Patrick Schleizer a écrit : > > as I just learned on the mailing list, that at least the packages > fail2ban and miniupnpd [and most likely arno-iptables-firewall also] > modify iptables rules...
Firewall managers such as ufw, shorewall, firestarter... Custom iptables scripts. IDS such as portsentry. "Port knocking" daemons such as knockd. > Is there a chance for race conditions? Plenty. > I.e. two packages trying to add > iptables rules at the same time and thereby failing to do so? Yes, or mixing up their rules resulting in unpredictable results. > What is the proper mechanism to add iptables rules [for packages] to > avoid such race conditions? > > Is using 'iptables --wait' sufficient or something else? No it's not. You must also make sure that the rules created by each program don't disrupt the rules created by the others.
