Firewall won't shut down?????? [SOLVED]

[Hiero2]

See also my posting about installing Oracle XE on Vector. I think my problem may be related to what I'm finding here.

Techie details: VL6, xfce 4.6, firestarter 1.03. 1.8G cpu, 2G RAM, 2 30G hdd.

I started the firewall, got it running and everything was fine. Until I tried to install Oracle XE, and had issues so I needed to shut the firewall OFF. I can't do it!

I checked the etc/ level settings, for 3, 4, and 5 - firewall is not checked to start up. In firestarter I set it not to run at startup. As root "service firewall stop" tells me it isn't running. BUT nmap (on my own machine) tells me everything is closed or filtered!

Am I doing something wrong, or making a bad assumption about what nmap should be telling me? I don't think so, but maybe somebody can help.

[bigpaws]

You can remove all the rules temporarily by using this command

iptables -flush

You can check to see the rules

iptables -L

If there are any rules you will see them.

Look in  /etc/rc.d/<probably rc.firewall> there should be a stop
or something like that. You can remove the executable bit

chmod -x /etc/rc.d/rc.firewall

Then the script will not start

HTH

Bigpaws

[Hiero2]

Huuuuaaa, big buddy, we are deep in learning territory here!

Ok, I did the iptables -L first, just to be sure I didn't screw anything up. Then I dug in my archive of material, looking for my iptables stuff from a few years back. Earlier in this whole process, I had taken a quick look around for an iptables script, forgetting that "-L" option (that's it, I forget the obvious and simple answer!).

So, before we go any farther, I'm bewildered. There is no etc/firewall, there are no firewall.* scripts, there are no iptables.* scripts or conf file. Not anywhere in my whole file system. There is an iptables.h, but it's a zer0-byter. What's up with this? How is VL setting the iptables rules? Or did Firestarter do that?

BTW, don't get me wrong - from a security standpoint, this all seems like a good thing. But from a control standpoint - trying to get my stuff working, well . . .

Thanks for your time.
Mark

Oh, and here's the iptables rules - which also look COMPLETELY different from my reference files of 5 years ago! What happened to this format: <<iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT>>   

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             loopback/8         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  -f  anywhere             anywhere           
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       

[Hiero2]

Update: nvm the iptables script (command) syntax vs the "-L" output - again my memory fails.

Howevah - I flushed the iptables, I also noticed the input policy is to drop. Now nmap from another LAN machine changes - it can't even find the box. I run a few iptables commands to open up some ports, and nmap sez again that is sees closed and filtered ports.

So I changed the policy. Iptables -L now:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http flags:FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       

BUT nmap from my LAN machine STILL sez "All 1000 scanned ports are closed"!!!!!!!!!!! But ping gets a reply.

This is too weird. I'm missing something here.

The real issue was trying to install Oracle XE - which still isn't working.

If you can tell me how this is, that would be great.

[christina2009]

You can remove all the rules temporarily by using this command

iptables -flush

You can check to see the rules

iptables -L

If there are any rules you will see them.

Look in  /etc/rc.d/<probably rc.firewall> there should be a stop
or something like that. You can remove the executable bit

chmod -x /etc/rc.d/rc.firewall

Then the script will not start

HTH

Bigpaws

I think this is enough .....
I do agree with you. Those are the most effective way
simulation taux banque credit immobilier de France - Credit immobilier de France, simulation credit immobilier. Résultat mitigé pour le crédit immobilier de France.simulation taux banque credit immobilier de France

[OU812]

In antix - a debian based distro, we use firehol. To stop firehol, we issue the command as root

/etc/init.d/firehol stop

Maybe there's something similar for firestarter.

HTH.

john

[Hiero2]

John - thanks. Yep, firestarter has a command line stop. I had used both the gui stop, and the command line stop. Still had the iptables stuff. I eventually figured out that iptables seems to have a default setup these days. I reset the iptables using flush, and the command syntax I recognized, but this whole thing turned out to be a red herring as far as installing the Oracle was involved, and that was the real reason for attempting to make it happen.

I appreciate your response
Mark