# disable firewall

## tekno_guru

I compiled iptables into my kernel and have emerged and installed iptables. Quick question, is there away to disable or take down the firewall, quickly, if need be? I realize now that if i had done this in modules i could unload the modules to take the firewall down, but i am curious if it has to be done in modules to be able to do this. if i have to go back and do it all in modules, is there a way to load the modules after the system has booted if i dont want the modules to load at boot? it should be said that this is for a laptop and i may not always need a firewall up. There may also be documentation on this that i am just missing or not understanding, but thank you for your time.

----------

## GenKreton

```
iptables -F

iptables -X

iptables -Z
```

That should clean EVERYTHING out. The man pages can help you out in figuring out what they do exactly.

----------

## tekno_guru

These commands would clean all the rules or chains out. i dont want to delete my rules/chains and such. i just want the firewall to stop running temporarily.

----------

## tuxmin

I fear there is no other way...

alex

----------

## ahubu

Starting and stopping the firewall is in practice nothing different than adding or removing your rules. You could write a script which removes the rules (like shown above, but in a bashscript), and then a script which calls all rules as they are in your iptables config.

If you want it a bit easier, install something like firestarter, (a gnome app), which has (also commandline) the ability to enable and disable the rules with one command, something like:

```
firestarter --stop

firestarter --start
```

As far as I know firestarter uses iptables rules, and it should be possible to import your rules there (IIRC, the names of the configfile are only a bit different). If you run it as root, it gives an icon in the systemtray with which you can enable/disable it. It gives you the convenient windows-zonealarm feel  :Twisted Evil: 

Of course, running this as root brings some securityissues (convenience tends to introduce securityissues)...

----------

## tekno_guru

if i were to have compiled iptables as modules instead of into the kernel, would i have been able to just force the modules to stop? If i remove all my by these commands, that means i would have to add them all back right? they couldnt be reloaded out of a save file? or of course i could use a script to do so. firestarter sounds like a good idea. I was thinking more of just a way to turn off the iptables program, but i guess that doesnt work as the rules would still be in effect within the kernel? is this correct?

----------

## GenKreton

The easiest alternative is to make a script that either toggles a really loose rule set (better than no firewall, default outbound to accept and accept all related established in both directions, should be good enough), and a second, harsher rule set. If you are off a network completely, there should be no problems with leaving the firewall runnning either, so I can't honestly understand why you would want it completely off. Forcing the module to load and unload is just as much work as making the little script to switch between rulesets and it's a lot less messy.

----------

## tekno_guru

i didnt think about it like that but that makes sense. Thank you.

----------

## GenKreton

If you would like some resources on creating your own firewall, gentoo has a few good pages:

http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml

http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12

and the best iptables guide ever

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Best of luck.

----------

## sschlueter

 *tekno_guru wrote:*   

> If i remove all my by these commands, that means i would have to add them all back right? they couldnt be reloaded out of a save file?

 

This can be pretty easily done.

Run /etc/init.d/iptables save to save your current ruleset.

Run rc-update add iptables default if you want these rules to be loaded automatically when the system starts.

Run /etc/init.d/iptables stop to clear all rules and /etc/init.d/iptables start to load them again.

 *tekno_guru wrote:*   

> 
> 
> I was thinking more of just a way to turn off the iptables program, but i guess that doesnt work as the rules would still be in effect within the kernel? is this correct?

 

Yes, iptables is just a userspace tool to query/set the rules and states within the kernel.

Quick side note: With OpenBSD's pf disabling and re-enabling the firewall without clearing and re-loading all rules is possible (pfctl -d and pfctl -e, respectively). But this is not possible with netfilter/iptables.

----------

