Linux service --status-all shows "Firewall is stopped." what service does firewall refer to?

Question

I have a development server with the lamp stack running CentOS:

[Prompt]# cat /etc/redhat-release
CentOS release 5.8 (Final)

[Prompt]# cat /proc/version
Linux version 2.6.18-308.16.1.el5xen (mockbuild@builder10.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-52)) #1 SMP Tue Oct 2 22:50:05 EDT 2012

[Prompt]# yum info iptables
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.anl.gov
 * extras: centos.mirrors.tds.net
 * rpmfusion-free-updates: mirror.us.leaseweb.net
 * rpmfusion-nonfree-updates: mirror.us.leaseweb.net
 * updates: mirror.steadfast.net
Installed Packages
Name       : iptables
Arch       : x86_64
Version    : 1.3.5
Release    : 9.1.el5
Size       : 661 k
Repo       : installed
.... Snip....

When I run:

service --status-all

Part of the output looks like this:

.... Snip....
httpd (pid  xxxxx) is running...
Firewall is stopped.
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
....Snip....

iptables has been loaded to the kernel and is active as represented by the rules being displayed.

Checking just the iptables returns the rules just like status all does:

[Prompt]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
.... Snip....

Starting or restarting iptables indicates that the iptables have been loaded to the kernel successfully:

[Prompt]# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

[Prompt]# service iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

I've googled "Firewall is stopped." and read a number of iptables guides as well as the RHEL documentation, but no luck.

As far as I can tell, there isn't a "Firewall" service, so what is the line "Firewall is stopped." referring to?

EDIT - Here's some additional info.
iptables is working in spite of the "Firewall is stopped." output from service status.

I added a rule to iptables that restricted ssh access to only one IP address (not my IP address) and after restarting iptables, I couldn't log in.

I have an idea that the two items are output one after another in service --status-all is because the services are output alphabetically (just a guess).

So, can anyone explain why I see the "Firewall is stopped." is my service status output even though the iptables rules are in effect and working correctly?

Solution
The "Firewall is stopped." message appears if either iptables or ip6tables is turned off.

If both are off, the (same exact) message will appear twice (wouldn't it be nice if the message for ip6 indicated that it was referring to ip6).

You will also see the error message if the service is on, but you have an empty rules table (as happened in my case for ip6).

Information provided by @Alexander Janssen . See the answer for a link to the CentOS 5.8 default ip6 rule set.

Just installing CentOS 5.8 to verify what's going on with your machine. — Alexander Janssen, Oct 03 '12 at 20:52

Alexander Janssen · Accepted Answer · 2012-10-03T22:46:21.450

6

Edit: After having a chat with the OP we can state the following facts:

It refers to the services iptables and ip6tables.

The errormessage appears when the service ip6tables is on (by chkconfig), but doesn't have any rules.

I advice to set up default IPv6 rules as are given in the stock CentOS 5.8 installation. You may take this as a reference. This was taken from a stock 5.8 installation.

Hope everything is sorted out now :)

edited Oct 03 '12 at 22:46

answered Oct 03 '12 at 20:39

Alexander Janssen

2,607
16
21

I rebooted and ran `chkconfig --list iptables` and `runlevel`. Runlevel is 3 and config is on for levels 2 through 5. I'm rebooting and will look at the `/var/log/messages` first thing. I'll add more info to the question shortly. – codewaggle Oct 03 '12 at 21:13
OK, but this explains everything. If the service `iptables` is on, it's normal that you get an output like that it you run `service --status-all`. – Alexander Janssen Oct 03 '12 at 21:16
I think there is a misunderstanding, I want iptables to run and act as a firewall. You say maybe I forgot to stop iptables, why would I want to stop iptables? I want to know what service the "Firewall is stopped" output refers to. I just confirmed that the iptables are in effect even though it saya firewall is stopped, so they don't seem to be connected, see the edit to my question that I'll add after I finish this comment. – codewaggle Oct 03 '12 at 21:52
So you **want** the firewall to be running and you wonder why it says "Firewall is stopped"? OK, no I figure. And I can verify your problem. Will update my answer soon. Gimme a few minutes. – Alexander Janssen Oct 03 '12 at 21:56
@codewaggle Can you tell me if you disabled the service `ip6tables`? If yes, I found the problem. – Alexander Janssen Oct 03 '12 at 21:59
No, both iptables and iptables6 are set to on for run levels 2 - 5. I looked with `chkconfig --list`, is there anything else that I should check? – codewaggle Oct 03 '12 at 22:05
This is odd. I was able to reproduce your problem with iptables on and started, and ip6tables off and not started. But is ip6tables also started? – Alexander Janssen Oct 03 '12 at 22:08
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/6017/discussion-between-codewaggle-and-alexander-janssen) – codewaggle Oct 03 '12 at 22:09
Answer to your question about how I moved the discussion to chat. There's an automatic feature that says "Please avoid extended discussions in comments. Would you like to automatically move this discussion to chat?" it appeared after seven comments in this case (not sure if it's a set number of comments that causes it to appear). It appears above the chat field and the second sentence is a link that creates the chat room. It happened to me one other time on Stack Overflow. – codewaggle Oct 04 '12 at 00:21

Linux service --status-all shows "Firewall is stopped." what service does firewall refer to?

1 Answers1