I have: Fedora Core 1 with kernel 2174, KDE 3.2. Any firewall I install works fine for some 10 minutes, and later is being disabled by something - I have tried Firestarter, Guarddog and KMyFirewall. Scripts generated by these apps are OK .

I suspect that something works in the circle and enables Iptables (configured not the way firewalls are) disabling running 'third party' firewall.

What is that process? It is not a rootkit - I've checked that.

Everytime I run nmap first time after the boot, ports are stealthed. After 10 minutes seven ports are wide open, all TCP (including ssh, rpcbind and .. sometimes-rpc).

Looking for help, you can even contact me nearly all day via ICQ.
Best regards,
Vito

ICQ: 317502232

Well what I always do is get things set up like I like, and then run "service iptables save". Then your configuration is saved into /etc/sysconfig/iptables and applied everytime that service starts up.

Strange how iptables is getting changed like you say though. Are you sure it's getting changed though? What's the output of "iptables --list" before and after you have a problem?

[quote="decker"]Well what I always do is get things set up like I like, and then run "service iptables save". Then your configuration is saved into /etc/sysconfig/iptables and applied everytime that service starts up.

Strange how iptables is getting changed like you say though. Are you sure it's getting changed though? What's the output of "iptables --list" before and after you have a problem?[/quote]


Hi,

I have run 'iptables service save' - right after I have enabled KMyFirewall - and system looks as 100% stealthed. I have restarted machine, and first run of 'nmap -v localhost' gave stealthed status result. I have run 'iptables --list' before I have had KMyFirewall switched on, and saved in a file, and I have done same thing after running KMyFirewall and 'iptables service save'.

Both outputs are quite different, I must say.

Usually, after 2 - 5 minuts max I had results of port scanning different, i.e. ports were open - now, I have checked with 15 min interval, and everything seems OK.

One thing is a bit strange though: after I had restarted the machine, it took quite longer time to log-in than it used to take.

What I have found - by accident, is that ShieldsUP (www.grc.com) gave my ports stealthed status, while netscan (knetscan) showed seven open ports altogether with listing the system data.

I probably should say THANX in capital letters: ShieldsUp show stealthed status, nmap (with many options) show stealthed status. Its good, that somebody knowing more shares his knowledge with those knowing less.

Thanx al lot, really
Vito

Marked as resolved.