Thanks to both of you for the information. That will be very helpful. I see now I may have a different (minor) problem. The firewall is starting up properly after running the FWBuilder script. It is only the status that reports it is down, which is why I was trying to start myself. I am able to confirm it is working by adding logging options to rules, so I can see that activity is being logged in /var/log/messages. I guess my only real problem is that when I execute an: â/sbin/service iptables statusâ it always reports the status as âstoppedâ, even when it is working. === On Sun January 2 2005 11:45 pm, Jeff Vian wrote: > On Sun, 2005-01-02 at 20:35 -0800, Stephen Walton wrote: > > fedora-list@xxxxxxxxxxxxxx wrote: > > >When I try to start iptables it simply fails with no errors and nothing > > >in /var/log/messages. If I try to load it after running the (fwbuilder > > >generated) script it starts and the stops immediately. > > > > The /etc/rc.d/init.d/iptables script assumes that your firewall setup is > > in /etc/sysconfig/iptables. If you are using Firewall Builder (I do and > > highly recommend it for all but the simplest setups), its script is self > > contained: it first resets iptables and then installs the settings you > > specified in fwbuilder. If you type "/sbin/service iptables start" > > after running your fwbuilder script, it will (probably) screw things up > > as it will try to add the setup in /etc/sysconfig on top of the > > fwbuilder settings. "/sbin/service iptables stop" is still useful even > > if you're using fwbuilder, as it will in effect turn off the firewall by > > resetting everything to its defaults. > > One additional note here, and yes, I also use fwbuilder to configure my > firewall. > > Stephen, you are correct as far as you go, but that approach means you > MUST rerun the fwbuilder script everytime you reboot or even if you just > stop iptables and want to restart it. > > To eliminate the problem with doing a service iptables start and having > your fwbuilder configuration erased, a simple step that only needs to be > done when the fwbuilder config is first installed or changed would be to > do a 2 step process. > > 1. Install your fwbuilder script and verify it using iptables -L to see > the settings. > 2. Save those settings to /etc/sysconfig/iptables using "service > iptables save". > > After step 2 is completed and verified, then you never need to run the > fwbuilder script again unless it is changed. A simple reboot will > automatically reload the last one saved when iptables is started. > > If you make a change to the fwbuilder script, then repeat the process > above and you are good to go. > > The alternative to this approach is likely that you added into some > script such as rc.local a command to run the fwbuilder script. The > problem with doing that is that iptables is by default activated before > the network is enabled and halted after the network is disabled. > Running it from some userland script or from somewhere such as rc.local > makes it get activated at a different time in the startup than default, > and my approach allows the default scripts to control the timing of the > firewall startup.
