Hardware firewalls are running software too, the only real difference is that the device is purpose built and dedicated to the task. Software firewalls on servers can be just as secure as hardware firewalls when properly configured (note that hardware firewalls are generally 'easier' to get to that level, and software firewalls are 'easier' to screw up).
If you're running outdated software, there's likely a known vulnerability. While your server might be susceptible to this attack vector, stating that it is unprotected is inflammatory, misleading, or a boldface lie (depends on what exactly they said and how they meant it). You should update the software and patch any known vulnerabilities regardless of the probability of exploitation.
Stating that IPTables is ineffective is misleading at best. Though again, if the one rule is allow everything from all to all then yeah, it wouldn't be doing anything at all.
Side Note: all my personal servers are FreeBSD powered and use only IPFW (built-in software firewall). I have never had a problem with this setup; I also follow the security announcements and have never seen any issues with this firewall software.
At work we have security in layers; the edge firewall filters out all the obvious crap (hardware firewall); internal firewalls filter traffic down for the individual servers or location on the network (mix of mostly software and hardware firewalls).
For complex networks of any kind, security in layers is most appropriate. For simple servers like yours there may be some benefit in having a separate hardware firewall, but fairly little.
I've noticed that your default policy for the OUTPUT chain is ACCEPT. As such, in the absence of any DROP or REJECT rule at the bottom of the OUTPUT chain, your wordpress iptables rules allow all traffic to egress on any port.
So to clarify..in your above configuration, all traffic is allowed through the OUTPUT chain.
Check for selinux AVC denials in /var/log/audit/audit.log as permission denied might indicate that httpd cannot connect to the SMTP network port to send email.
In any case, you should also check /var/log/maillog to see if you're being denied permission there, and of course ensure that postfix/sendmail are actually running and available locally.
In the case of you not being able to install plugins, etc. This will almost certainly be a wordpress file permissions issue, which you can look into in the link below.
Hope this helps, while I appreciate your question is somewhat old, it does register highly in google for the subject, so perhaps this might help someone else.
Best Answer
system-config-firewall-tui
is the "stock" text-based firewall configuration tool for RHEL/CentOS. It is perfectly capable of opening custom ports.Press Tab until you reach Customize on the first screen.
Then hit Tab until you reach Forward to skip the list of standard ports.
Then hit Tab until you reach Add, then press Enter.
Then enter the port (e.g.
5900
) and protocol (e.g.tcp
) and press Enter.When done adding ports, hit Tab until you reach Close.
Finally, hit Tab until you reach OK. Your firewall is now saved.