Hello, So what would be different upon first boot? We will probably run a location update after the first time we connect to the internet and refresh the database, because the one that was shipped is likely too old. However, I checked the code of the xt_geoip module and it does not look like it would complain in any way that it would look like the module does not exist - so the kernel simply cannot find it. That only leaves us with a missing module on the dependency tree (but we would never update that in production I believe) or that the file can simply not be opened. strace might help with this. -Michael > On 1 Feb 2022, at 17:19, Peter Müller wrote: > > Hello Michael, > > thanks for your reply. > > I have no idea, but am interested in the root cause of this as well. It only happens > while loading the firewall engine on first boot. On every subsequent boot, iptables > does not complain. > > Thanks, and best regards, > Peter Müller > >> Hello, >> >> I would be great to know *why* this is happening. >> >> iptables should automatically trigger loading the kernel module. >> >> Did we just forget to run something like depmod -a? >> >> -Michael >> >>> On 30 Jan 2022, at 17:08, Peter Müller wrote: >>> >>> For some reason, this module is not present after the very first boot of >>> an IPFire installation. >>> >>> Fixes: #12767 >>> >>> Reported-by: Arne Fitzenreiter >>> Signed-off-by: Peter Müller >>> --- >>> src/initscripts/system/firewall | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>> index ebc8168ae..bfab6d538 100644 >>> --- a/src/initscripts/system/firewall >>> +++ b/src/initscripts/system/firewall >>> @@ -39,6 +39,9 @@ iptables_init() { >>> iptables -P FORWARD DROP >>> iptables -P OUTPUT ACCEPT >>> >>> + # Ensure the xt_geoip module is always loaded (#12767) >>> + modprobe xt_geoip >>> + >>> # Enable TRACE logging to syslog >>> modprobe nf_log_ipv4 >>> sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4 >>> -- >>> 2.31.1 >>