Mulyadi Santosa wrote: > 2008/8/19 Hinko Kocevar <hinko.kocevar@xxxxxxxxxxxx>: >> Hi, >> >> Is there a way to tell if iptables (firewall) is active from some >> /proc or /sys file? Or with iptables utility? >> >> It is safe to assume if no rules are present in any of the chains >> that firewall is inactive/disabled? > > I agree with other posters that checking whether iptables module is > loaded or not is the best way to check. That would mean that when stopping firewall I would need to remove the modules, or at least one of them, on which I could rely. > > Mind you, iptables -L only check "filter" chain. You also need to > iterate over "nat" and "mangle" table too to make sure no rules is > defined there. Acked. > > The word "active" has double meaning IMHO. iptables...as far the hook > mechanism is concerned, is always active i.e the function pointer is > checked...if it's not null then something must be done inside iptables > code flow. the real point here is whether the iptables hook is calling > the filtering/nat/mangling function or not. Yes as you put it, iptables is always active, the only question is when it is actually 'handling' traffic. It would a nice feature if one could obtain number of eg. 'active' rules across the complete netfilter. Regards, Hinko -- ČETRTA POT, d.o.o., Kranj Planina 3 4000 Kranj Slovenia, Europe Tel. +386 (0) 4 280 66 03 E-mail: hinko.kocevar@xxxxxxxxxxxx Http: www.cetrtapot.si -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
