On Sun, 25 Nov 2001 21:51:49 +0000
David
Hi Geoff,
I thought it was your suggestion.
Yes I have found that faq and done that, but it doesn't work. Firestarter works with chains or tables. I don't see what there is in ip-up that is asking for ip-chains and do not understand why it does not read the rest of the file. I have tried putting it at the front but it does not seem to
like it - stalls.
I notice that on the original ip-up the kinternet log gives ................ ip-up failed (return value 0xff00)
No clear answer I am afraid David, but with regard to the following extract from
the log you posted previously ...
Nov 25 14:13:24 linux /etc/ppp/ip-up: ip-up: Loading of module ipchains was not
successful.
Nov 25 14:13:24 linux /etc/ppp/ip-up: Aborting. No action taken.
... I found a post on the on suse-security list which may be relevant and which
I will quote in full below - it might at least eliminate a red herring, but I am
afraid that I really don't know enough about firewalls to say.
Maybe another approach would be to initialise Firestarter from an
/etc/ppp/ip-up.local script ? At least that would isolate it. Mind you,
according to the section 23 of the PPP HOWT0 :
Ip-up is just a shell script and can do anything that a shell script can
do (i.e. virtually anything you want).
For example, you can get sendmail to dispatch any waiting outbound
messages in the mail queue.
Similarly, you can insert the commands into ip-up to collect (using pop)
any email waiting for you at your ISP.
There are restrictions on /etc/ppp/ip-up:-
**It runs in a deliberately restricted environment to enhance
security. This means you must give a full path to binaries etc.***
Maybe, therefore, you should give the full path to Firestarter ?
Geoff
Here is the post from the security list.
Date: Fri, 5 Oct 2001 12:09:46 +0200 (MEST)
From: Roman Drahtmueller
I finally got around to switching to SuSEfirewall2. Installation and setup were straightforward, and my testing sems to indicate it's doing what I expect...
However, I'm now seeing the following messages in /var/log/messages as I bring up, and again as I terminate a ppp session (using kppp):
/etc/ppp/ip-down: ip-down: Loading of module ipchains was not successful. /etc/ppp/ip-down: Aborting. No action taken.
This output is from the SuSEpersonal-firewall (which works with ipchains in SuSE-7.2 only). It tried to load the ipchains module, which does not work if the iptables framework has been loaded before. SuSEfirewall and SuSEpersonal-firewall can work together, but SuSEfirewall2 needs iptables. By consequence, you must disable the SuSEpersonal-firewall in /etc/rc.config.d/security.rc.config (Set REJECT_ALL_INCOMING_CONNECTIONS="no"). SuSE-7.3 comes with a personal-firewall package that can work with both iptables and ipchains. None of the scripts should remove modules from a running kernel since this is inherently racy, and SuSEpersonal-firewall does not remove modules at all. SuSEfirewall2 does, the version in 7.3 is a bit more careful and will not remove loaded iptables modules any more because of the likelyness of a kernel crash (fixed in the last beta phase of 7.3).
A search of /etc/ppp/ip-up, ip-up.local, and SuSEFirewall2 shows the only reference to the ipchains module is an attempt to `rmmod` it. Is this message simply an obfuscated way of saying that it couldn't be removed because it wasn't loaded?
No, the other way around. Please add a line for SuSEfirewall2 to ip-up that resembles the one for SuSEfirewall so that the fw-script is being executed upon dial-in. Thanks, Roman. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com