FC3 firewall fails after running for a while.

johnnylo · 01-04-2005, 03:48 PM

Hi, I am running FC3 and use the GUI in GNome environment to configure the iptables.

It seems to me that my firewall need to be restarted after a day or two otherwise the port opened will be blocked again.

For example, I open 137, 138, 139 and 445 for my samba print server. I could print from my xp box, but if I try to ping the samba netbios name from xp box later, it can't find the box, indicating the ports I opened are not functioning.

And Same thing happen to port 80, but if I restart the firewall, everything goes fine again. so I suspect it is my linux firewall that cause it.

Any help is appreciate.

saravkrish · 01-04-2005, 04:15 PM

Are you using firestarter? If yes, I think I know what is happening.

~Sarav

johnnylo · 01-04-2005, 04:24 PM

I don't know. It is a GUI default in FC3. It is under applications -> system setting -> security level.

If firestarter is a third party software, probably I am not using it.

saravkrish · 01-04-2005, 05:42 PM

Thats not firestarter. Btw, do try firestarter. Just google it. Its an opensource GUI firewall that is very user friendly and has more options.

johnnylo · 01-04-2005, 05:49 PM

thanks, I will give it a try and update later.

linuxles · 01-05-2005, 01:32 AM

That's interesting. Haven't seen that problem.

When the machine is unreachable, is the network reachable from the machine?

Here's how you can check to see if the firewall is being changed somehow.

As root: run "iptables -L" and save the output in a file somewhere for later
reference. (ie: iptables -L > iptables-output1)

Then when the machine is unreachable. Run another "iptables -L" and compare
the output with the previous file. You might want to save the output to a different
file. (ie: iptables -L > iptables-output2). You can visually check for the changes
in the output or diff the two files to see the differences between them.
(ie: diff iptables-output1 iptables-output2)

If you see a difference, then something (possibly SeLinux) maybe disabling
or changing your settings... I don't know if SeLinux can or will do something
like this, it's just a thought.

/Les

johnnylo · 01-05-2005, 11:27 AM

Quote:

Originally posted by saravkrish
Thats not firestarter. Btw, do try firestarter. Just google it. Its an opensource GUI firewall that is very user friendly and has more options.

I have installed firestarter last night. The installation is smooth and easy. I added all the port I need in the inbound policy and start testing. For the first 5 mins, I try to ping my netbios but no response. But then after that when I ping again, it worked. However, when I try to ping the netbios again this morning around 6:00 am, I got no response again.

So, it may be silly to ask, but do I need to turn off iptables service or the default security app from FC3 beforeI used firestarter?

johnnylo · 01-05-2005, 11:27 AM

Quote:

Originally posted by linuxles
That's interesting. Haven't seen that problem.

When the machine is unreachable, is the network reachable from the machine?

Here's how you can check to see if the firewall is being changed somehow.

As root: run "iptables -L" and save the output in a file somewhere for later
reference. (ie: iptables -L > iptables-output1)

Then when the machine is unreachable. Run another "iptables -L" and compare
the output with the previous file. You might want to save the output to a different
file. (ie: iptables -L > iptables-output2). You can visually check for the changes
in the output or diff the two files to see the differences between them.
(ie: diff iptables-output1 iptables-output2)

If you see a difference, then something (possibly SeLinux) maybe disabling
or changing your settings... I don't know if SeLinux can or will do something
like this, it's just a thought.

/Les

Thanks, this is a good approach, I will give it a try.