disable firewall

Pete Nesbitt pete at linux1.ca
Wed May 5 01:26:13 UTC 2004


On May 4, 2004 06:03 pm, Ed Greshko wrote:
> On Wed, 2004-05-05 at 08:27, Pete Nesbitt wrote:
> > On a related note (I found interesting anyway), a while ago I checked
> > some iptables rules for someone, and made some changes, loaded them up on
> > my machine, got the expected errors (non valid interface etc) and then
> > stopped the firewall using 'service iptables stop'.
> > Shortly afterwards I experienced connectivity problems. The problem was
> > that the rules were partial and no default policies were in place, so
> > even though I stopped the iptables service (the user part), netfilter
> > (the kernel part) lived on. I needed to set default rules and start/stop
> > the fw in order to clear the test rules. It turns out "stop" means flush
> > the existing rules and set the default policies (normally accept for all
> > chains)
>
> That last bit, for a "firewall" seems to be bad practice.  Best practice
> should be:
>
> Stop:  Flush all existing rules/policies and go into "default" mode of
> reject ALL.
>
> Disable:  Totally disable firewall.  Reverting to accept ALL.  In the
> case of iptables/ipchains this may also imply unloading relevant
> modules.
>
> FWIW, one can reference a good iptables front-end such as "shorewall".
> In this implementation:
>
> "shorewall clear" totally disables the firewall.
>
> "shorewall stop"  reverts to the default "reject all" with the exception
> of hosts defined in the "routestopped" configuration.  This will allow
> you to remotely maintain the firewall.  That is, stop it but have at
> least one host with access.
>
> Regards,
> Ed
>
> --
> "An opinion is like an asshole - everybody has one."
>     - Clint Eastwood as Harry Callahan, The Dead Pool - 1988.

I agree. Default of accept is the RH default though:(
And in my case, i was testing on a protected workstation, so I really did want 
to clear everthing and allow all.

shorewall looks interesting as it is script/file based, which is good as a 
firewall box should be minimal, which rules out a gui.
-- 
Pete Nesbitt, rhce





More information about the redhat-list mailing list