VectorLinux
November 23, 2014, 02:02:14 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1]
  Print  
Author Topic: Firewall won't shut down?????? [SOLVED]  (Read 1837 times)
Hiero2
Member
*
Posts: 57


« on: August 02, 2009, 10:36:10 am »

See also my posting about installing Oracle XE on Vector. I think my problem may be related to what I'm finding here.

Techie details: VL6, xfce 4.6, firestarter 1.03. 1.8G cpu, 2G RAM, 2 30G hdd.

I started the firewall, got it running and everything was fine. Until I tried to install Oracle XE, and had issues so I needed to shut the firewall OFF. I can't do it!

I checked the etc/ level settings, for 3, 4, and 5 - firewall is not checked to start up. In firestarter I set it not to run at startup. As root "service firewall stop" tells me it isn't running. BUT nmap (on my own machine) tells me everything is closed or filtered!

Am I doing something wrong, or making a bad assumption about what nmap should be telling me? I don't think so, but maybe somebody can help.
« Last Edit: August 16, 2009, 12:03:50 pm by Hiero2 » Logged
bigpaws
Vectorian
****
Posts: 1857


« Reply #1 on: August 02, 2009, 03:34:00 pm »

You can remove all the rules temporarily by using this command

iptables -flush

You can check to see the rules

iptables -L

If there are any rules you will see them.

Look in  /etc/rc.d/<probably rc.firewall> there should be a stop
or something like that. You can remove the executable bit

chmod -x /etc/rc.d/rc.firewall

Then the script will not start

HTH

Bigpaws
Logged
Hiero2
Member
*
Posts: 57


« Reply #2 on: August 03, 2009, 03:51:26 am »

Huuuuaaa, big buddy, we are deep in learning territory here!

Ok, I did the iptables -L first, just to be sure I didn't screw anything up. Then I dug in my archive of material, looking for my iptables stuff from a few years back. Earlier in this whole process, I had taken a quick look around for an iptables script, forgetting that "-L" option (that's it, I forget the obvious and simple answer!).

So, before we go any farther, I'm bewildered. There is no etc/firewall, there are no firewall.* scripts, there are no iptables.* scripts or conf file. Not anywhere in my whole file system. There is an iptables.h, but it's a zer0-byter. What's up with this? How is VL setting the iptables rules? Or did Firestarter do that?Huh

BTW, don't get me wrong - from a security standpoint, this all seems like a good thing. But from a control standpoint - trying to get my stuff working, well . . .

Thanks for your time.
Mark

Oh, and here's the iptables rules - which also look COMPLETELY different from my reference files of 5 years ago! What happened to this format: <<iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT>>   HuhHuhHuhHuhHuh

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             loopback/8         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  -f  anywhere             anywhere           
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       
Logged
Hiero2
Member
*
Posts: 57


« Reply #3 on: August 03, 2009, 04:23:02 am »

Update: nvm the iptables script (command) syntax vs the "-L" output - again my memory fails.

Howevah - I flushed the iptables, I also noticed the input policy is to drop. Now nmap from another LAN machine changes - it can't even find the box. I run a few iptables commands to open up some ports, and nmap sez again that is sees closed and filtered ports.

So I changed the policy. Iptables -L now:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http flags:FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       

BUT nmap from my LAN machine STILL sez "All 1000 scanned ports are closed"!!!!!!!!!!! But ping gets a reply.

This is too weird. I'm missing something here.

The real issue was trying to install Oracle XE - which still isn't working.

If you can tell me how this is, that would be great.
Logged
christina2009
Member
*
Posts: 1


« Reply #4 on: August 09, 2009, 05:55:37 pm »

You can remove all the rules temporarily by using this command

iptables -flush

You can check to see the rules

iptables -L

If there are any rules you will see them.

Look in  /etc/rc.d/<probably rc.firewall> there should be a stop
or something like that. You can remove the executable bit

chmod -x /etc/rc.d/rc.firewall

Then the script will not start

HTH

Bigpaws
I think this is enough .....
I do agree with you. Those are the most effective way
simulation taux banque credit immobilier de France - Credit immobilier de France, simulation credit immobilier. Résultat mitigé pour le crédit immobilier de France.simulation taux banque credit immobilier de France

Logged
OU812
Vectorite
***
Posts: 156



« Reply #5 on: August 09, 2009, 07:12:23 pm »

In antix - a debian based distro, we use firehol. To stop firehol, we issue the command as root

/etc/init.d/firehol stop

Maybe there's something similar for firestarter.

HTH.

john
Logged
Hiero2
Member
*
Posts: 57


« Reply #6 on: August 10, 2009, 05:09:47 am »

John - thanks. Yep, firestarter has a command line stop. I had used both the gui stop, and the command line stop. Still had the iptables stuff. I eventually figured out that iptables seems to have a default setup these days. I reset the iptables using flush, and the command syntax I recognized, but this whole thing turned out to be a red herring as far as installing the Oracle was involved, and that was the real reason for attempting to make it happen.

I appreciate your response
Mark
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!