From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 17 06:42:00 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8EA6F106566B for ; Sat, 17 Oct 2009 06:42:00 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id CCB908FC08 for ; Sat, 17 Oct 2009 06:41:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n9H6fu75046039; Sat, 17 Oct 2009 17:41:57 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 17 Oct 2009 17:41:56 +1100 (EST) From: Ian Smith To: Chris St Denis In-Reply-To: <4AD8FDD0.30008@smartt.com> Message-ID: <20091017171148.T70724@sola.nimnet.asn.au> References: <4AC51F18.5050703@smartt.com> <4AC52918.2020705@smartt.com> <8d923f617db88c873c63bb2038752147.squirrel@users.sharktooth.org> <4ACF9341.2040406@smartt.com> <4AD8FDD0.30008@smartt.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Jason Lewis , freebsd-ipfw@freebsd.org, Freddie Cash Subject: Re: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Oct 2009 06:42:00 -0000 On Fri, 16 Oct 2009, Chris St Denis wrote: > > This is definitely a regression in 7.2. > > Downgrades to 6.4, 7.0, 7.1 did not show this symptom. Upgrade the test > server back to 7.2 and the messages come back. I notice neither your rules shown below nor the "workstation" rules - unlike the "client" and "simple" rulesets - allow IP fragments to pass, and I'm not sure what happens to frags that are associated with stateful DNS rules. The only frags I usually see here are associated with DNS responses from my forwarders, usually huge lists of NS for spamhaus.org that are almost always fragmented (around 2Kbytes). You could maybe try a specific 'allow log all from any to any frag' ? Just a wild stab in the dark, cheers, Ian > Chris St Denis wrote: > > check_state doesn't help. The error is also generated from the rc.conf > > firewall_type="workstation" rule set which includes check_state among > > several other rules. > > > > I made a copy of this server (it's a virtual server under WMware) and > > downgraded it to 6.4-RELEASE-p7 and I no longer get the error. > > > > I downgraded another copy to 7.2-RELEASE (no patches) by copying the > > generic kernel off the CD. Still gets errors. > > > > Downgraded it to 7.0-RELEASE and the message stopped. > > > > I'm going to try going to 7.1 and see which behavior it has. > > > > Looks like there may have been a regression in 7.2 (or maybe 7.1 pending > > the results of my further testing) > > > > > > Jason Lewis wrote: > > > Did you try a check_state? I am using this same rule structure on BSD6 > > > without a problem. > > > > > > Thanks, > > > Jason > > > http://jasonlewis.yaritz.net > > > > > > > > > > Freddie Cash wrote: > > > > > > > > > On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Haven't gotten any response on -questions so trying here. I've also > > > > > > opened > > > > > > a PR (kern/139226) but it's gotten no replies so I figured I should > > > > > > try > > > > > > here > > > > > > since I'm not certain if it's a bug or not. Regardless I am hoping > > > > > > for > > > > > > at > > > > > > least a work-around -- a few extra rules or settings to keep my > > > > > > console > > > > > > from > > > > > > being flooded by errors. So far only option I found is commenting > > > > > > out > > > > > > the > > > > > > error display line in the kernel source which is far from optimal. > > > > > > > > > > > > I'm trying to setup a stateful firewall for my server such that any > > > > > > traffic > > > > > > can go out, and it's reply come back -- a fairly typical > > > > > > workstation > > > > > > setup. > > > > > > However I'm getting the error message "ipfw: install_state: entry > > > > > > already > > > > > > present, done" repeated many times in my logs (tho the rules seemed > > > > > > to > > > > > > work > > > > > > fine otherwise). > > > > > > > > > > > > I stripped down the rules to the minimum I could and discovered the > > > > > > line > > > > > > causing it is "allow udp from me to any keep-state". > > > > > > > > > > > > Only seems to happen when I have bind running as a slave dns server > > > > > > (not > > > > > > publicly listed, just the zone replication traffic causes the > > > > > > error) > > > > > > but I > > > > > > assume any other large source of UDP traffic would also do it. > > > > > > > > > > > > Full firewall rules: > > > > > > > > > > > > dns2# ipfw list > > > > > > 00100 allow ip from any to any via lo0 > > > > > > 00200 deny ip from any to 127.0.0.0/8 > > > > > > 00300 deny ip from 127.0.0.0/8 to any > > > > > > 00400 allow udp from me to any keep-state > > > > > > 65535 deny ip from any to any > > > > > > > > > > > > > > > > > > > > > > > > > > > > > If you add "out xmit em0" to the udp rule, do the errors stop > > > > > > > > > I added that and restarted bind (thus generating a bunch of UDP > > > > traffic) > > > > and the error still floods the console. > > > > > > > > Current rule set: > > > > 00100 allow ip from any to any via lo0 > > > > 00200 deny ip from any to 127.0.0.0/8 > > > > 00300 deny ip from 127.0.0.0/8 to any > > > > 00400 allow udp from me to any out xmit em0 keep-state > > > > 00500 allow ip from any to any > > > > 65535 deny ip from any to any > > > > > > > > _______________________________________________ > > > > freebsd-ipfw@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > _______________________________________________ > > > freebsd-ipfw@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > -- > Chris St Denis > Programmer > SmarttNet (www.smartt.com) > Ph: 604-473-9700 Ext. 200 > ------------------------------------------- > "Smart Internet Solutions For Businesses" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >