FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 06-09-2008, 01:46 PM
"Joseph L. Casale"
 
Default iptables starting while disabled

I have a xen machine that has iptables turned off, and after a reboot it started behaving
badly during times when network IO rose to anything other than almost nil. Since I know
iptables makes xen unstable without some additional config and since its isolated I just
have is disabled. As a result it was the last place I looked and spent the better half of the
day chasing my tail.

Somehow it gets turned on after a reboot, how can I deduce what is activating it?

Thanks!
jlc

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-09-2008, 02:15 PM
"Peter Farrell"
 
Default iptables starting while disabled

I'm not sure as it relates specifically to XEN - but I would have a
look through the /etc/rc.d
directory. If it's not being turned on there, 'egrep -i iptables'
/etc/init.d/* and see if it's in any startup script there.
Slim chance they may be something in rc.local as well.

-Peter

2008/6/9 Joseph L. Casale <JCasale@activenetwerx.com>:
> I have a xen machine that has iptables turned off, and after a reboot it started behaving
> badly during times when network IO rose to anything other than almost nil. Since I know
> iptables makes xen unstable without some additional config and since its isolated I just
> have is disabled. As a result it was the last place I looked and spent the better half of the
> day chasing my tail.
>
> Somehow it gets turned on after a reboot, how can I deduce what is activating it?
>
> Thanks!
> jlc
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-09-2008, 03:18 PM
Kai Schaetzl
 
Default iptables starting while disabled

Joseph L. Casale wrote on Mon, 09 Jun 2008 07:46:03 -0600:

> Somehow it gets turned on after a reboot, how can I deduce what is activating it?

AFAIS iptables is active all the time in CentOS 5. Deactivating the service just
means that queues are empty. Starting libvirtd and creating xen machines definitely
adds to the queues.

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-09-2008, 03:33 PM
"Peter Farrell"
 
Default iptables starting while disabled

By the way - what does 'AFAIS' stand for?

-Peter


2008/6/9 Kai Schaetzl <maillists@conactive.com>:
> Joseph L. Casale wrote on Mon, 09 Jun 2008 07:46:03 -0600:
>
>> Somehow it gets turned on after a reboot, how can I deduce what is activating it?
>
> AFAIS iptables is active all the time in CentOS 5. Deactivating the service just
> means that queues are empty. Starting libvirtd and creating xen machines definitely
> adds to the queues.
>
> Kai
>
> --
> Kai Schätzl, Berlin, Germany
> Get your web at Conactive Internet Services: http://www.conactive.com
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-09-2008, 04:59 PM
Kai Schaetzl
 
Default iptables starting while disabled

Peter Farrell wrote on Mon, 9 Jun 2008 16:33:15 +0100:

> By the way - what does 'AFAIS' stand for?

In concordance with AFAIK: AFAI SEE ;-)

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-10-2008, 12:27 AM
"Joseph L. Casale"
 
Default iptables starting while disabled

>I'm not sure as it relates specifically to XEN - but I would have a
>look through the /etc/rc.d
>directory. If it's not being turned on there, 'egrep -i iptables'
>/etc/init.d/* and see if it's in any startup script there.
>Slim chance they may be something in rc.local as well.
>
>-Peter

Peter,
Arghh, system-config-securitylevel had "security" enabled. So what does that do
to start iptables? That was a lot of wasted time

jlc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-10-2008, 06:43 AM
"Peter Farrell"
 
Default iptables starting while disabled

I'm really not sure - it's a control script for setting the security policy
of SE Linux I believe. It may control basic firewall settings as well.

You originally said that you wanted IPtables off. Even if your SE
Linux policy is set to
'enforcing' you should still be able to shut down your firewall with:
# service iptables stop
and check the to make sure with:
# iptables -L -n

I think that by default, SE Linux is turned on and set up with a
usable security policy from CentOS 4.6 onwards.
Perhaps even earlier. I'm not at all versed in SE Linux, I usually
disable it for everything other than my DMZ machines
because it's been such an absolute pain in the ass to manage.
They've got much better management tools now and if you do a bit of
RTFM'ing you should be able to
find a way to tail your logs, see whats being affected, and add that
to the policy to 'enable' it.
*there are more elegant ways of doing this - but this is the 'SE Linux
101' method.

Aside from that, your only other option is to disable it. i would try
to learn a bit more about it and use it as it's intended.
It's here to stay and will be included in most distros from here on
out - so we should get used to it!

You can disable the 'enforcing' at boot or change the flag in the
config file somewhere under /etc/selinux as I recall.

-Peter


2008/6/10 Joseph L. Casale <JCasale@activenetwerx.com>:
>>I'm not sure as it relates specifically to XEN - but I would have a
>>look through the /etc/rc.d
>>directory. If it's not being turned on there, 'egrep -i iptables'
>>/etc/init.d/* and see if it's in any startup script there.
>>Slim chance they may be something in rc.local as well.
>>
>>-Peter
>
> Peter,
> Arghh, system-config-securitylevel had "security" enabled. So what does that do
> to start iptables? That was a lot of wasted time
>
> jlc
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-14-2008, 11:57 AM
Johnny Hughes
 
Default iptables starting while disabled

<snip>


Arghh, system-config-securitylevel had "security" enabled. So what does that do
to start iptables? That was a lot of wasted time


chkconfig iptables off

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-14-2008, 01:49 PM
"Joseph L. Casale"
 
Default iptables starting while disabled

>chkconfig iptables off

That was how I disabled it originally yet it was being started by something else.
jlc

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-14-2008, 02:31 PM
Robert Spangler
 
Default iptables starting while disabled

On Saturday 14 June 2008 09:49, Joseph L. Casale wrote:

> >chkconfig iptables off
>
> That was how I disabled it originally yet it was being started by
> something else. jlc

Did you install another firewall front end? Something like Firestarter?


--

Regards
Robert

Smile... it increases your face value!
Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org