Thanks Geoff for your research You prompted me to look at my Suse f/w again. I downloaded the Suse2 f/w the other day, clicked on install and nothing happened, had a look at the script and didn't go any further. However looking again I see it has installed itself, disabled Suse1 and enabled Suse2, but it didn't copy ip-up across. I have done that and it removes the error messages for ip-up. If I put in a line for firestarter, incidentally I always put the full path, I get the ip-up error in the kinternet log. That was putting it at the end. I have tried the ip-up.local but it is ignored. Tried putting it into ip-up, but again ignored. Does ip-up.local need to be set as a particular file type? I see in ip-up there is a line to check for ip-up.local and run if possible. So I assume my syntax is wrong, but it runs from the x terminal. Maybe it needs to be started later, but I don't know what follows on from that. Thanks David On Mon, 26 Nov 2001 16:26:00 +0000, Geoff wrote:
No clear answer I am afraid David, but with regard to the following extract from the log you posted previously ...
Nov 25 14:13:24 linux /etc/ppp/ip-up: ip-up: Loading of module ipchains was not successful. Nov 25 14:13:24 linux /etc/ppp/ip-up: Aborting. No action taken.
.... I found a post on the on suse-security list which may be relevant and which I will quote in full below - it might at least eliminate a red herring, but I am afraid that I really don't know enough about firewalls to say.
Maybe another approach would be to initialise Firestarter from an /etc/ppp/ip -up.local script ? At least that would isolate it. Mind you, according to the section 23 of the PPP HOWT0 :
Ip-up is just a shell script and can do anything that a shell script can do (i.e. virtually anything you want).
For example, you can get sendmail to dispatch any waiting outbound messages in the mail queue.
Similarly, you can insert the commands into ip-up to collect (using pop) any email waiting for you at your ISP.
There are restrictions on /etc/ppp/ip-up:- **It runs in a deliberately restricted environment to enhance security. This means you must give a full path to binaries etc.***
Maybe, therefore, you should give the full path to Firestarter ?
Geoff
Here is the post from the security list.
Date: Fri, 5 Oct 2001 12:09:46 +0200 (MEST) From: Roman Drahtmueller
Message-ID: Subject: Re: [suse -security] SuSEfirewall2 & ipchains?! I finally got around to switching to SuSEfirewall2. Installation and setup were straightforward, and my testing sems to indicate it's doing what I expect...
However, I'm now seeing the following messages in /var/log/messages as I bring up, and again as I terminate a ppp session (using kppp):
/etc/ppp/ip-down: ip-down: Loading of module ipchains was not successful. /etc/ppp/ip-down: Aborting. No action taken.
This output is from the SuSEpersonal-firewall (which works with ipchains in SuSE-7.2 only). It tried to load the ipchains module, which does not work if the iptables framework has been loaded before. SuSEfirewall and SuSEpersonal -firewall can work together, but SuSEfirewall2 needs iptables. By consequence, you must disable the SuSEpersonal-firewall in /etc/rc.config.d/security.rc.config (Set REJECT_ALL_INCOMING_CONNECTIONS="no").
SuSE-7.3 comes with a personal-firewall package that can work with both iptables and ipchains. None of the scripts should remove modules from a running kernel since this is inherently racy, and SuSEpersonal-firewall does not remove modules at all. SuSEfirewall2 does, the version in 7.3 is a bit more careful and will not remove loaded iptables modules any more because of the likelyness of a kernel crash (fixed in the last beta phase of 7.3).
A search of /etc/ppp/ip-up, ip-up.local, and SuSEFirewall2 shows the only reference to the ipchains module is an attempt to `rmmod` it. Is this message simply an obfuscated way of saying that it couldn't be removed because it wasn't loaded?
No, the other way around.
Please add a line for SuSEfirewall2 to ip-up that resembles the one for SuSEfirewall so that the fw-script is being executed upon dial-in.
Thanks, Roman.
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com