howto turn of firewall on RH7.1

[peterve]

I think I have a firewall issue on my LInux Redhat 7.1... and I want to turn it off because I have an external firewall...

How can I completely turn off the firewall on Linux ?
If I run 'setup' or 'lokkit', the firewall config is always set to 'HIGH', when I set it to 'no firewall' and save,
then quit, and then look again,
it has been reverted to 'HIGH' again ....

---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------------------------------------------
Peter Van Eeckhoutte
peter.ve@pandora.be
*:->* Did this post help? Click below to let me know !

 

[marsd]

ipchains -F (2.2 kernel)
iptables -F (2.4 hernel)
These commands will purge your rules, but if your
problem is still the TR drops from your "external"
firewall you will still have to admit packets from that source, and allow time-exceeded back out to the sender before TR will work.

Good Luck

 

[peterve]

and how can I do that ? ---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------------------------------------------
Peter Van Eeckhoutte
peter.ve@pandora.be
*:->* Did this post help? Click below to let me know !

 

[ifincham]

Hi,

You should be able to do that by disabling the ipchains service... (as root)

/sbin/chkconfig --level 12345 ipchains off

Rgds

 

[peterve]

all firewall services are disabled,
but I'm still unable to traceroute
(ping however works)

any ideas ? ---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------------------------------------------
Peter Van Eeckhoutte
peter.ve@pandora.be
*:->* Did this post help? Click below to let me know !

 

[ifincham]

Hi,

If you're sure there is no firewalling of the relevant icmp packets, try to add some parms to traceroute :

traceroute -w 10

http://www.slashdot.org

- (use 10 sec wait insetad of default of 5)
traceroute -n

http://www.slashdot.org

- (don't resolve hop ip addresses)
traceroute -v

http://www.slashdot.org

- (verbose output)

(Or try them all together)

Sometimes you will just get * * * for a hop because the router/gateway concerned has a ttl setting that is too small to enable the response packet to get back to you. Also some may be running code that just does not send back 'time exceeded' messages at all or the sysadm has deliberately suppressed such packets. Having said that, in such cases, you would then get similar results from another machine which does not appear to be happening in your case.


Rgds

 

[peterve]

why is it working from all the other clients in my network (Windows 2000 professional clients) and not from Linux ? ---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------------------------------------------
Peter Van Eeckhoutte
peter.ve@pandora.be
*:->* Did this post help? Click below to let me know !

 

[ifincham]

Hi,

Microsoft's implementation of traceroute may well use different defaults to the linux code, e.g. wait time, ttl limit. So that <could> explain why you might not get identical responses from a w2k box vs linux. However, if you've increased the wait time and it just doesn't work at all (e.g. try a traceroute to an internal machine) then I'd suspect some kind of packet-filtering / firewalling on the linux box. Also, is there any proxy server between your lan and the internet or any different way that the win2k boxes connect to the internet vs linux box ?

Rgds

 

[miblo]

Have you tried turning ipchains off completely? Either via the /etc/rc.d scripts, or with a nifty utility called ntsysv.

~M

 

[peterve]

i tried several commands to turn off ipchains,
maybe this ntsysv can help shut it down completely...

what is it, where can I get it and how does it work ? ---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------------------------------------------
Peter Van Eeckhoutte
peter.ve@pandora.be
*:->* Did this post help? Click below to let me know !

 

[ifincham]

Hi,

ntsysv is just a console-gui tool to manipulate the runlevel files - its functionally identical to 'chkconfig' and to 'tksysv'. The latter is better if you like gui interfaces (under X only).

Rgds

 

[marsd]

peterve:
M$ and linux use completely different network stacks:
linux uses udp for a number of things that M$ uses icmp for..(contrary to the RFC's)however, functionality is
the issue..

In a previous post you said that there was an &quot;external&quot; firewall. I took this to mean that you have another machine
or router outside your internal network that is performing some packet filtering besides what is local to your own machines and network? Is this correct?
If so then you will need to check rules from there back...
Have you tried tracerouting to your next hop, or default
gw? Just to verify that traceroute works that far?

 

[ifincham]

Hi,

Actually, the linux implementation of traceroute does in fact use udp by default (ports 33435 to 33525) with the option to use icmp whereas M$ just uses icmp. So in order to run a comparable (icmp based) traceroute on linux you would do :

/sbin/traceroute -I

http://www.linux.org

Try this to see if it works - if so there must be some udp firewalling going on...

Rgds

 

[peterve]

got it ! it was the UDP issue !!!
Thanks guys ---------------------------------------------------------------------
I have not failed, I've just found 10,000 ways that don't work
---------------------------------------------------------------------
Peter Van Eeckhoutte
peter.ve@pandora.be
*:->* Did this post help? Click below to let me know !