iptables starting while disabled
I have a xen machine that has iptables turned off, and after a reboot it started behaving
badly during times when network IO rose to anything other than almost nil. Since I know iptables makes xen unstable without some additional config and since its isolated I just have is disabled. As a result it was the last place I looked and spent the better half of the day chasing my tail. Somehow it gets turned on after a reboot, how can I deduce what is activating it? Thanks! jlc _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
iptables starting while disabled
I'm not sure as it relates specifically to XEN - but I would have a
look through the /etc/rc.d directory. If it's not being turned on there, 'egrep -i iptables' /etc/init.d/* and see if it's in any startup script there. Slim chance they may be something in rc.local as well. -Peter 2008/6/9 Joseph L. Casale <JCasale@activenetwerx.com>: > I have a xen machine that has iptables turned off, and after a reboot it started behaving > badly during times when network IO rose to anything other than almost nil. Since I know > iptables makes xen unstable without some additional config and since its isolated I just > have is disabled. As a result it was the last place I looked and spent the better half of the > day chasing my tail. > > Somehow it gets turned on after a reboot, how can I deduce what is activating it? > > Thanks! > jlc > > _______________________________________________ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
iptables starting while disabled
Joseph L. Casale wrote on Mon, 09 Jun 2008 07:46:03 -0600:
> Somehow it gets turned on after a reboot, how can I deduce what is activating it? AFAIS iptables is active all the time in CentOS 5. Deactivating the service just means that queues are empty. Starting libvirtd and creating xen machines definitely adds to the queues. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
iptables starting while disabled
By the way - what does 'AFAIS' stand for?
-Peter 2008/6/9 Kai Schaetzl <maillists@conactive.com>: > Joseph L. Casale wrote on Mon, 09 Jun 2008 07:46:03 -0600: > >> Somehow it gets turned on after a reboot, how can I deduce what is activating it? > > AFAIS iptables is active all the time in CentOS 5. Deactivating the service just > means that queues are empty. Starting libvirtd and creating xen machines definitely > adds to the queues. > > Kai > > -- > Kai Schätzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > _______________________________________________ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
iptables starting while disabled
Peter Farrell wrote on Mon, 9 Jun 2008 16:33:15 +0100:
> By the way - what does 'AFAIS' stand for? In concordance with AFAIK: AFAI SEE ;-) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
iptables starting while disabled
>I'm not sure as it relates specifically to XEN - but I would have a
>look through the /etc/rc.d >directory. If it's not being turned on there, 'egrep -i iptables' >/etc/init.d/* and see if it's in any startup script there. >Slim chance they may be something in rc.local as well. > >-Peter Peter, Arghh, system-config-securitylevel had "security" enabled. So what does that do to start iptables? That was a lot of wasted time :) jlc _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
iptables starting while disabled
I'm really not sure - it's a control script for setting the security policy
of SE Linux I believe. It may control basic firewall settings as well. You originally said that you wanted IPtables off. Even if your SE Linux policy is set to 'enforcing' you should still be able to shut down your firewall with: # service iptables stop and check the to make sure with: # iptables -L -n I think that by default, SE Linux is turned on and set up with a usable security policy from CentOS 4.6 onwards. Perhaps even earlier. I'm not at all versed in SE Linux, I usually disable it for everything other than my DMZ machines because it's been such an absolute pain in the ass to manage. They've got much better management tools now and if you do a bit of RTFM'ing you should be able to find a way to tail your logs, see whats being affected, and add that to the policy to 'enable' it. *there are more elegant ways of doing this - but this is the 'SE Linux 101' method. Aside from that, your only other option is to disable it. i would try to learn a bit more about it and use it as it's intended. It's here to stay and will be included in most distros from here on out - so we should get used to it! You can disable the 'enforcing' at boot or change the flag in the config file somewhere under /etc/selinux as I recall. -Peter 2008/6/10 Joseph L. Casale <JCasale@activenetwerx.com>: >>I'm not sure as it relates specifically to XEN - but I would have a >>look through the /etc/rc.d >>directory. If it's not being turned on there, 'egrep -i iptables' >>/etc/init.d/* and see if it's in any startup script there. >>Slim chance they may be something in rc.local as well. >> >>-Peter > > Peter, > Arghh, system-config-securitylevel had "security" enabled. So what does that do > to start iptables? That was a lot of wasted time :) > > jlc > > _______________________________________________ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
iptables starting while disabled
<snip>
Arghh, system-config-securitylevel had "security" enabled. So what does that do to start iptables? That was a lot of wasted time :) chkconfig iptables off _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
iptables starting while disabled
>chkconfig iptables off
That was how I disabled it originally yet it was being started by something else. jlc _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
iptables starting while disabled
On Saturday 14 June 2008 09:49, Joseph L. Casale wrote:
> >chkconfig iptables off > > That was how I disabled it originally yet it was being started by > something else. jlc Did you install another firewall front end? Something like Firestarter? -- Regards Robert Smile... it increases your face value! Linux User #296285 http://counter.li.org _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos |
| All times are GMT. The time now is 08:02 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.