[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: F11 iptables can't disable

On Wed, 2009-12-16 at 00:29 -0500, KC8LDO wrote:
> Date: Tue, 15 Dec 2009 17:23:47 -0800
> From: Rick Stevens <ricks nerd com>
> Subject: Re: F11 iptables can't disable
> >"chkconfig iptables off" will only block iptables from starting
> >whenever you enter the run level you're _currently_ in.  For example,
> >if you're in the GUI (run level 5) and you run that command, iptables
> >will be off ONLY in run level 5.  It'll still start in run level 3 (the
> >normal one for non-GUI stuff).
> >If you're changing runlevels and want iptables off in them, the correct
> >command is:
> >chkconfig --level <list-of-levels> iptables off
> >E.g. to prevent it from running in run levels 3 and 5:
> >chkconfig --level 35 iptables off
> >To disable it completely:
> >chkconfig --level 12345 iptables off
> >To enable it in run levels 1, 2 and 5, but not in 3 or 4:
> >chkconfig --level 12345 iptables on
> >chkconfig --level 34 iptables off
> >You get the idea.
> Yes I do. If you will look at the GUI tool under Gnome you'll find there is 
> no option for run level 1. Under the "Customize" menu option only run levels 
> 2 through 5 are listed. I know its a single user run level but you would 
> figure the option should be there. Any reason why its not? I can see where 
> somebody may want to use the GUI to do something then dump out of it and 
> switch to runlevel 1 at the CL.
> So you're saying if its enabled in any run level, then of course it will 
> show it as active.  Well let me do some more checking and reading on 
> firewalls.
# ls -l /etc/rc.d/rc1.d/S*
lrwxrwxrwx 1 root root 22 2009-11-22
07:46 /etc/rc.d/rc1.d/S02lvm2-monitor -> ../init.d/lvm2-monitor
lrwxrwxrwx 1 root root 18 2009-11-22 07:29 /etc/rc.d/rc1.d/S06cpuspeed
-> ../init.d/cpuspeed
lrwxrwxrwx 1 root root 15 2008-05-20 14:50 /etc/rc.d/rc1.d/S95jexec
-> ../init.d/jexec

basically, nothing is really supposed to be 'starting' on runlevel 1

chkconfig --level 12345 SOME_SERVICE on

is about as dumb of an idea as you can get. Just don't do it. Sometimes
I cringe at the advice given on this list.

As I told you - you have some other service loading iptables rulesets.

the 'service' iptables is not the only way to create iptables rules or
to load them at startup. It's just the only way that is installed by
default. It is very possible to have iptables service disabled at
startup but something else (rc.local or another 'service') create
iptables rules at startup.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]