disable firewall

[Ed Greshko]

On Wed, 2004-05-05 at 08:27, Pete Nesbitt wrote:

> On a related note (I found interesting anyway), a while ago I checked some 
> iptables rules for someone, and made some changes, loaded them up on my 
> machine, got the expected errors (non valid interface etc) and then stopped 
> the firewall using 'service iptables stop'.
> Shortly afterwards I experienced connectivity problems. The problem was that 
> the rules were partial and no default policies were in place, so even though 
> I stopped the iptables service (the user part), netfilter (the kernel part) 
> lived on. I needed to set default rules and start/stop the fw in order to 
> clear the test rules. It turns out "stop" means flush the existing rules and 
> set the default policies (normally accept for all chains)

That last bit, for a "firewall" seems to be bad practice.  Best practice
should be:

Stop:  Flush all existing rules/policies and go into "default" mode of
reject ALL.

Disable:  Totally disable firewall.  Reverting to accept ALL.  In the
case of iptables/ipchains this may also imply unloading relevant
modules.

FWIW, one can reference a good iptables front-end such as "shorewall". 
In this implementation:

"shorewall clear" totally disables the firewall.

"shorewall stop"  reverts to the default "reject all" with the exception
of hosts defined in the "routestopped" configuration.  This will allow
you to remotely maintain the firewall.  That is, stop it but have at
least one host with access.

Regards,
Ed
 
-- 
"An opinion is like an asshole - everybody has one."
    - Clint Eastwood as Harry Callahan, The Dead Pool - 1988.