I finally got around to switching to SuSEfirewall2. Installation and setup were straightforward, and my testing sems to indicate it's doing what I expect...
However, I'm now seeing the following messages in /var/log/messages as I bring up, and again as I terminate a ppp session (using kppp):
/etc/ppp/ip-down: ip-down: Loading of module ipchains was not successful. /etc/ppp/ip-down: Aborting. No action taken.
This output is from the SuSEpersonal-firewall (which works with ipchains in SuSE-7.2 only). It tried to load the ipchains module, which does not work if the iptables framework has been loaded before. SuSEfirewall and SuSEpersonal-firewall can work together, but SuSEfirewall2 needs iptables. By consequence, you must disable the SuSEpersonal-firewall in /etc/rc.config.d/security.rc.config (Set REJECT_ALL_INCOMING_CONNECTIONS="no"). SuSE-7.3 comes with a personal-firewall package that can work with both iptables and ipchains. None of the scripts should remove modules from a running kernel since this is inherently racy, and SuSEpersonal-firewall does not remove modules at all. SuSEfirewall2 does, the version in 7.3 is a bit more careful and will not remove loaded iptables modules any more because of the likelyness of a kernel crash (fixed in the last beta phase of 7.3).
A search of /etc/ppp/ip-up, ip-up.local, and SuSEFirewall2 shows the only reference to the ipchains module is an attempt to `rmmod` it. Is this message simply an obfuscated way of saying that it couldn't be removed because it wasn't loaded?
No, the other way around.
Please add a line for SuSEfirewall2 to ip-up that resembles the one for
SuSEfirewall so that the fw-script is being executed upon dial-in.
Thanks,
Roman.
--
- -
| Roman Drahtmüller