Description of problem: Hello, When I ask if the iptables service if running or not (service iptables status), it says that it is, but no filters are present. I am using puppet and I ask it to stop the iptables service so every time it says that iptables is running but it's not really (no rules are defined). Version-Release number of selected component (if applicable): [root@fortoy83 ~]# uname -a Linux fortoy83 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux How reproducible: [root ~]# /etc/init.d/iptables stop iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] [root ~]# /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Expected results: [root ~]# /etc/init.d/iptables status iptables: Firewall is not running. Additional info: [root ~]# grep -i nf_conntrack= /boot/config-2.6.29.4-167.fc11.x86_64 CONFIG_NF_CONNTRACK=y It seems that because the netfilter is not a module, the table filter exists even if no configuration is made. I think there is 2 solutions : 1- correct the init script to have a good behaviour 2- compile nf_filter as a module TIA.
service iptables status is reporting that there is a firewall active. The firewall does not contain any rules, and the policy is accept, but the netfilter parts in the kernel are active, therefore the script has to report that a firewall is active. service iptables status is reporting a firewall even if it contains no rules and this has been the case since it was created. The service has to report an empty firewall. Please think of an empty firewall with the policy drop in a chain. Closing as not a bug.
I understand that some people needs to have iptables active on their systems. But if I want to disable it, I need to rebuild a kernel... I think that this solution is not really good. It will be easier to have the nf_filter build as module and NOT compiled directly in the kernel. Now, when I stop the iptables service, the status command should say "I am not running" but it says "I am running"... There is some incoherency here don't you think ? I think the iptables init script should unload the nf_filter module to ensure that this service is stopped (but this not possible right now because nf_filter is built inside the kernel). Regards, Aurélien