I have a development server with the lamp stack running CentOS:
[Prompt]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[Prompt]# cat /proc/version
Linux version 2.6.18-308.16.1.el5xen (mockbuild@builder10.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-52)) #1 SMP Tue Oct 2 22:50:05 EDT 2012
[Prompt]# yum info iptables
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.anl.gov
* extras: centos.mirrors.tds.net
* rpmfusion-free-updates: mirror.us.leaseweb.net
* rpmfusion-nonfree-updates: mirror.us.leaseweb.net
* updates: mirror.steadfast.net
Installed Packages
Name : iptables
Arch : x86_64
Version : 1.3.5
Release : 9.1.el5
Size : 661 k
Repo : installed
.... Snip....
When I run:
service --status-all
Part of the output looks like this:
.... Snip....
httpd (pid xxxxx) is running...
Firewall is stopped.
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
....Snip....
iptables has been loaded to the kernel and is active as represented by the rules being displayed.
Checking just the iptables returns the rules just like status all does:
[Prompt]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
.... Snip....
Starting or restarting iptables indicates that the iptables have been loaded to the kernel successfully:
[Prompt]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
[Prompt]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
I've googled "Firewall is stopped." and read a number of iptables guides as well as the RHEL documentation, but no luck.
As far as I can tell, there isn't a "Firewall" service, so what is the line "Firewall is stopped." referring to?
EDIT – Here's some additional info.
iptables is working in spite of the "Firewall is stopped." output from service status.
I added a rule to iptables that restricted ssh access to only one IP address (not my IP address) and after restarting iptables, I couldn't log in.
I have an idea that the two items are output one after another in service --status-all is because the services are output alphabetically (just a guess).
So, can anyone explain why I see the "Firewall is stopped." is my service status output even though the iptables rules are in effect and working correctly?
Solution
The "Firewall is stopped." message appears if either iptables or ip6tables is turned off.
If both are off, the (same exact) message will appear twice (wouldn't it be nice if the message for ip6 indicated that it was referring to ip6).
You will also see the error message if the service is on, but you have an empty rules table (as happened in my case for ip6).
Information provided by @Alexander Janssen . See the answer for a link to the CentOS 5.8 default ip6 rule set.
Best Answer
Edit: After having a chat with the OP we can state the following facts:
It refers to the services
iptablesandip6tables.The errormessage appears when the service
ip6tablesis on (bychkconfig), but doesn't have any rules.I advice to set up default IPv6 rules as are given in the stock CentOS 5.8 installation. You may take this as a reference. This was taken from a stock 5.8 installation.
Hope everything is sorted out now :)