F11 iptables can't disable

Rick Stevens ricks at nerd.com
Wed Dec 16 01:23:47 UTC 2009 

On 12/15/2009 01:09 PM, Aaron Konstam wrote:
> On Tue, 2009-12-15 at 14:26 +1030, Tim wrote:
>> On Mon, 2009-12-14 at 10:01 -0500, KC8LDO wrote:
>>> Yes I can use "service iptables stop" at the CLI but the firewall is
>>> right back again with filtering when I reboot the machine.
>>
>> Try reading the replying posts again.
>>
>> "service iptables stop" will stop it now, and only now.  Likewise with
>> using it to start or restart a service.
>>
>> What happens when booting/changing run levels is controlled by something
>> else.  The chkconfig command can control that, and list what levels the
>> service will be on or off at.
>>
>> e.g. chkconfig --list iptables
>>       chkconfig iptables off
>>       chkconfig --list iptables
>>
> The above is correct and what I said before was a product of my machine
> problems I thought I would never fix. My Bugzilla report of the nautilus
> connection problem just sits there unsolved and it is embarrassing.
> Rahul convinced me to Bugzilla error so developers learn about problems.
> But their getting around to fix the problem is a whole different
> problem.

"chkconfig iptables off" will only block iptables from starting
whenever you enter the run level you're _currently_ in.  For example,
if you're in the GUI (run level 5) and you run that command, iptables
will be off ONLY in run level 5.  It'll still start in run level 3 (the
normal one for non-GUI stuff).

If you're changing runlevels and want iptables off in them, the correct
command is:

	chkconfig --level <list-of-levels> iptables off

E.g. to prevent it from running in run levels 3 and 5:

	chkconfig --level 35 iptables off

To disable it completely:

	chkconfig --level 12345 iptables off

To enable it in run levels 1, 2 and 5, but not in 3 or 4:

	chkconfig --level 12345 iptables on
	chkconfig --level 34 iptables off

You get the idea.  And also remember that "service iptables stop" only
stops it for now.  A reboot or run level change will use the chkconfig
stuff.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-    If your broker is so damned smart...why is he still working?    -
----------------------------------------------------------------------

More information about the fedora-list mailing list