From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 1 22:11:32 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 418B21065672 for ; Thu, 1 Oct 2009 22:11:32 +0000 (UTC) (envelope-from chris@smartt.com) Received: from mailout3.smartt.com (mailout3.smartt.com [69.67.187.28]) by mx1.freebsd.org (Postfix) with ESMTP id 293A18FC0A for ; Thu, 1 Oct 2009 22:11:32 +0000 (UTC) Received: from [69.31.174.220] (unknown [69.31.174.220]) by mailout3.smartt.com (Postfix) with ESMTPA id 66A6010E50A; Thu, 1 Oct 2009 15:11:34 -0700 (PDT) Message-ID: <4AC52918.2020705@smartt.com> Date: Thu, 01 Oct 2009 15:11:36 -0700 From: Chris St Denis User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Freddie Cash References: <4AC51F18.5050703@smartt.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 22:11:32 -0000 Freddie Cash wrote: > On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis wrote: > > >> Haven't gotten any response on -questions so trying here. I've also opened >> a PR (kern/139226) but it's gotten no replies so I figured I should try here >> since I'm not certain if it's a bug or not. Regardless I am hoping for at >> least a work-around -- a few extra rules or settings to keep my console from >> being flooded by errors. So far only option I found is commenting out the >> error display line in the kernel source which is far from optimal. >> >> I'm trying to setup a stateful firewall for my server such that any traffic >> can go out, and it's reply come back -- a fairly typical workstation setup. >> However I'm getting the error message "ipfw: install_state: entry already >> present, done" repeated many times in my logs (tho the rules seemed to work >> fine otherwise). >> >> I stripped down the rules to the minimum I could and discovered the line >> causing it is "allow udp from me to any keep-state". >> >> Only seems to happen when I have bind running as a slave dns server (not >> publicly listed, just the zone replication traffic causes the error) but I >> assume any other large source of UDP traffic would also do it. >> >> Full firewall rules: >> >> dns2# ipfw list >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00300 deny ip from 127.0.0.0/8 to any >> 00400 allow udp from me to any keep-state >> 65535 deny ip from any to any >> >> >> > If you add "out xmit em0" to the udp rule, do the errors stop I added that and restarted bind (thus generating a bunch of UDP traffic) and the error still floods the console. Current rule set: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 allow udp from me to any out xmit em0 keep-state 00500 allow ip from any to any 65535 deny ip from any to any