F11 iptables can't disable

[KC8LDO]

Marko;

The GUI doesn't ask for the root password, and some of the other setups 
don't either. I had to go to the menus and modify them to use (su -c 
"application")  and open the application in a terminal window to get a root 
password entered when I want to change something. All of the machines I use 
run VNC on my home LAN and it seems a bunch of stuff doesn't work right like 
this.

I have a hardware firewall running in front of all of my machines so I 
normally don't want one running locally. I want the firewall to pass all 
packets with no filtering. Yes I can use "service iptables stop" at the CLI 
but the firewall is right back again with filtering when I reboot the 
machine. I can see a bunch of filter rules are loaded when I check it so I 
know my settings were not respected. I have a FC3, FC5 and a F8 box that 
does NOT do this. Even F12 respects the settings, the F11 box does not.

Samba browsing doesn't work on F11 either but seems to work fine on the F12 
box, along with the others just fine, and they are setup the same pretty 
much as far as samba configuration goes. I can get in to the F11 box to the 
file shares from another computer but browsing from the F11 box for file 
shares on other computers doesn't work. Somebody else on this list was 
having just the reverse problem with their F11 box too. Neither one of us 
has figured out why this is happening yet. The F11 box just doesn't want to 
play nice.

The F12 box has frequent dialog box messages waiting for me when I fire up 
my VNC viewer to get on the machine. The dialog box message says something 
about an authorization failure while the details section doesn't say what 
application, service etc caused it, a total waste and absolutely of no use. 
So far I have no idea why this is occurring.

I've noticed that the last couple releases of Fedora has gone down hill in 
stability and usability when trying to run the system remotely using VNC. 
Seems like few people use it the way I do. I run all my machines primarily 
as headless work stations. I use VNC on the local LAN from a laptop to get 
in to each machine or using putty (ssh) on the Internet while tunneling VNC 
through it. Each machine has a different ssh port setup on it, and a fixed 
IP, while the router has port forwarding set up to forward the given ssh 
port to the right machine. This way I can access any machine on my LAN by 
using a different ssh port setting. None of the machines use the standard 
ssh port however. Not having things work right or as expected using a VNC 
setup is a real deal buster for me. I'm thinking about dumping F11.

Regards;

Leland C. Scott
KC8LDO

The right to practice in one's chosen profession is a Constitutional liberty
[Gibson v. Berryhill, 411 U.S. 564, 571 (1973)] that is violated by visas
that force Americans to train their foreign replacements or otherwise
result in displacement by foreign workers.

----- Original Message ----- 
From: "Marko Vojinovic" <vvmarko at gmail.com>
To: <fedora-list at redhat.com>; "KC8LDO" <kc8ldo at arrl.net>
Sent: Monday, December 14, 2009 7:51 AM
Subject: Re: F11 iptables can't disable


> On Monday 14 December 2009 06:40:28 KC8LDO wrote:
>> I've been trying to track down a problem where I can't browse the local
>> network using samba. As one experiment I disabled iptables, or so I 
>> thought
>> I did, using the services GUI. I can disable the ip6tables firewall it
>>  seems OK, but not the iptables firewall. The GUI shows the service
>>  disabled but still running, red dot and the plug icon in.
>
> "Disabled" (the red dot) means that the service will not be started on 
> next
> boot. "Running" (the plug) means that the service is currently active.
>
> Those are two separate concepts, you should never confuse them.
>
>>  Something
>>  is screwed up with how some of the services work on F11 where they don't
>>  stop, start etc. the way they should and ask for a root password, 
>> through
>>  a pop-up dialog box, to allow making changes.
>
> The password is asked on your first attempt to change something, and
> authorization lasts until some reasonable timeout (couple of minutes or 
> so, I
> don't know exactly). This is if you use GUI. If you use the "service" 
> command
> in the terminal, there is no pop-up window, you should be logged in as 
> root
> instead.
>
> Are you not being asked for the root password?
>
>> How do you tell iptables to quit, pass all packets through,
>
> service iptables stop
>
>> and stay that
>> way even after rebooting?
>
> chkconfig iptables off
>
> Be warned though, that not running a firewall is a Very Bad Idea if the
> machine is connected to the Internet. If you have trouble with samba, I
> suggest configuring the firewall appropriately, rather than disabling it
> completely.
>
>> That's a major issue for me. I would suspect that
>> some system script file(s) are not done right or missing etc.
>
> No, everything is working as expected. The "service" command does what it 
> is
> intended to do --- start or stop the service. This has of course nothing 
> to do
> with configuring what will happen at next boot.
>
> The "chkconfig" command configures what services will or will not be 
> started
> at boot.
>
>> I keep getting some mysterious authorization failure message box that 
>> pops
>> up with no description of where, why and from what caused it. So far I
>> haven't had any luck finding what it is and stopping whatever the
>> application or service that's causing it.
>
> Could it be that these are the root password requests that you were asked 
> for
> while playing with the services GUI? If I understood your comments above, 
> the
> services GUI failed to ask you for a root password, right? And now you 
> find a
> bunch of password requests waiting somewhere else, right?
>
> It might be that your desktop environment has something screwed up and the
> pop-up requests do not appear on the same desktop as the originating app.
> IIRC, this is configurable somewhere, depending on the DE you use.
>
> HTH, :-)
> Marko
>
>