Hello all expert Linux administrator,

i facing this difficulties in fedora 7. I realized that firewall in fedora 7 is not quite stable.

If the firewall have many rules, my shut down time is slower and oppose to less rules.

Besides that, my firewall sometimes hang at boot time when starting firewall.

If you need information from me, please let me know.

Thanks for your help.

Your help is greatly appreciated by me and others.

When you say that it sometimes hangs on boot, do you just mean it is slow, or that it never finishes?

The time delay at shutdown probably means it is saving the current firewall rules. If this is a big annoyance, you could disable it, but then you would not save any changes you had made to the firewall since boot.

How long it it takes to load and save firewall rules depends on how many rules you have and the speed of your processor. On a modern processor, you probably wouldn't notice the time it took to load a hundred rules. On older processors, I have seen it take 5 to 10 seconds. It also depends on how the system handles it. I have seen where iptables-save was a bash script that actually took quite a while. But I believe these days it is generally a compiled program which is much quicker.

You might want to post how many rules you have and what speed/type of processor you are using.

I think is never finished because i have wait for 5-10 minutes.

My system specification is AMD athlon 3500++ 2.4ghz and 512 RAM.

The default tables in iptables is filter.

In the input chain, i have 16 rules. In outpu chain, i have 5 rules. I have 1 rules in forward chain.

I hope this helps.

Thanks.

Man, that should take no time!

I haven't used a RH product since before Fedora, so if I make a wrong assumption here, correct me. I am assuming you are not running any firewall script/program not included with Fedora and I am assuming there is an init script called iptables. If so, I want you to try a couple of things. This will temporarily take your firewall down, so it would be prudent to disconnect from the Internet or an untrusted network first (just pull the cable). Afterwards, you can reconnect. (If something goes horribly wrong, reboot before reconnecting.)

The commands I want you to run, in sequence, are:

This should shutdown your firewall and then restart it. It will also print out how long each of these operations takes (that is what the word time does). I am interested in whether there are any errors (or if it hangs), and in how long it takes.

Could you also let me know whether you are used to working with bash scripts?

Hello, are you sure you are using iptables? The rules should load rather quickly with that many rules. If you are using a different firewall such as apf I would expect it to take that long to load as apf is dynamic and will build it's own rules sets that will slow a server down when booting because it will have to load all of the rulesets. If you think iptables is causing this issue, you can always run iptables -F and then service iptables save to flush and save the empty rules, and the re-input them. Can you post a copy of your rules so we can take a look at themas well?

The firewall need 20 minutes to start it.
After that a screen display which is /etc/swpas -- [ok], then the login screen is display. The iptables is not started.

I have apf firewall installed.


Thanks for your help.

I have disable the graphical boot section by /etc/sysconfig/init -- graphical=no .

Now, it can start normally but i no longer can connect to the internet.

I have connect to the internet by service iptables off.

Below is my iptables -config.

# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="ip_conntrack_netbios_ns"

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"



Below is my firewall rules:

Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
DROP 0 -f anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
DROP tcp -- anywhere anywhere ctstate INVALID,NEW state INVALID,NEW
DROP udp -- anywhere anywhere ctstate INVALID,NEW state INVALID,NEW
DROP icmp -- anywhere anywhere ctstate INVALID,NEW state INVALID,NEW
ACCEPT tcp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
ACCEPT udp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate ESTABLISHED state ESTABLISHED
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
DROP icmp -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp spt:31337 dpt:31337
DROP tcp -- anywhere anywhere tcp dpt:telnet

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere ctstate NEW,ESTABLISHED state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere

unfortunately I am not a expert on apf, however I can tell you from personal experience from working in the data center that I have had to chkconfig many boxes to bypass apf. Apf as previously posted can take quite a long time to load it's rules. I have personally seen it take 30 + minutes to load. I have also heard that if your rules deny by hostname , it can slow down the firewall as well. you may be able to find some more info here http://forums.rfxnetworks.com/ perhaps someone with more knowledge of apf will weigh in.

My problem now is cannot to the internet.

My Red Hat Firewall Input has been delete by hacker. I don't have back up of it. Cold anyone post the Red Hat Firewall Input here.

I don't have red Hat Firewall Chain in my current firewall(iptables). I don't this is the issue because i cannot to internet with iptables off.

Thanks for your help.

Are you trying to access the Internet directly from this box? I don't see anything in your firewall rules that might prevent that with one possible exception:

I am used to seeing rules like the above accepting both ESTABLISHED and RELATED states. I am not sure whether lack of RELATED could prevent Internet access.

If you want to troubleshoot, I can think of two things you can try:

• If you list your iptables rules using the -v option, the first two columns of the listing should show packet and byte counts for matching packets. This might give you an idea of what rules are blocking the packets.
• You can use a packet sniffer like tcpdump or wireshark to see what packets are actually going out and coming into your network interface.

Just so you know, I have no knowledge of apf. I am passingly familiar with iptables rules except for the mangle table.

Also, if I understood you correctly, your server has been compromised. While not a security expert, my understanding is that when that happens you are best off starting over from scratch or restoring from a trusted backup, since once the machine has been compromised you can never again trust what the utilities tell you.