On Fri, 5 Oct 2001, Roman Drahtmueller wrote:
/etc/ppp/ip-down: ip-down: Loading of module ipchains was not successful. /etc/ppp/ip-down: Aborting. No action taken.
This output is from the SuSEpersonal-firewall (which works with ipchains in SuSE-7.2 only). It tried to load the ipchains module, which does not work if the iptables framework has been loaded before. SuSEfirewall and SuSEpersonal-firewall can work together, but SuSEfirewall2 needs iptables. By consequence, you must disable the SuSEpersonal-firewall in /etc/rc.config.d/security.rc.config (Set REJECT_ALL_INCOMING_CONNECTIONS="no"). Oops. I thought I had replaced the personal-firewall package with the SuSEfirewall package. I hadn't - it was still installed. `rpm -e personal-firewall` took care of the problem.
SuSE-7.3 comes with a personal-firewall package that can work with both iptables and ipchains. None of the scripts should remove modules from a running kernel since this is inherently racy, and SuSEpersonal-firewall does not remove modules at all. SuSEfirewall2 does, the version in 7.3 is a bit more careful and will not remove loaded iptables modules any more because of the likelyness of a kernel crash (fixed in the last beta phase of 7.3). Why would one want to run both personal-firewall and SuSEfirewall(2)? The latter gives much finer-grained control, and is capable of blocking all connections, if so configured.
Please add a line for SuSEfirewall2 to ip-up that resembles the one for SuSEfirewall so that the fw-script is being executed upon dial-in. It was already there. SuSEfirewall2 is getting loaded, and apears to be working. It was just that unexpected ipchains message caused by the vestiges of personal-firewall that prompted my question.
Thanks for your help. -- Rick Green "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin