Date: Thu, 18 Sep 2003 17:21:36 GMT From: Mark <admin@asarian-host.net> To: "Josh Paetzel" <friar_josh@webwarrior.net> Cc: freebsd-questions@freebsd.org Subject: Re: Ipfw on the fritz? Message-ID: <200309181721.H8IHLA3P006459@asarian-host.net> References: <200309180021.H8I0LW3P072727@asarian-host.net> <20030918005303.GJ27665@tcbug.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Josh Paetzel" <friar_josh@webwarrior.net> To: "Mark" <admin@asarian-host.net> Cc: <freebsd-questions@freebsd.org> Sent: Thursday, September 18, 2003 2:54 AM Subject: Re: Ipfw on the fritz? > On Thu, Sep 18, 2003 at 12:21:58AM +0000, Mark wrote: > > > Eek, I just got these eery messages in /var/log/messages: > > > > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1 > > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1 > > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 2 > > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 2 > > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1 > > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1 > > > > That does not look good. :( I run FreeBSD 4.7R. Today I added a few > > rules using "limit src-addr". Could that be it? And what does it mean? > > Are some rules broken after this? I never had this happen before. Why > > would ipfw even want to remove rules? > > > > Baffled & Concerned, > > > > - Mark > > The following thread may be of interest to you: > > http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-June/000215.html Thank you for the thread. But a bad situation just got worse; all of a sudden I got these too: Sep 18 17:45:06 asarian-host /kernel: drop session, too many entries Sep 18 17:45:06 asarian-host /kernel: drop session, too many entries Sep 18 17:45:16 asarian-host /kernel: drop session, too many entries Sep 18 17:45:16 asarian-host /kernel: drop session, too many entries Too many entries? I have "net.inet.ip.fw.dyn_max" set to 1000. And there are certainly not a 1000+ dynamic rules. Well, thinking out loud, there would be if "OUCH! cannot remove rule". :( Is there an ipfw patch somewhere, so I can rebuild the kernel? I do not wish to perform a cvsup, as that tends to make the system unstable. But if I can compile a new kernel on a Vmware box, and then copy over /kernel to the real server, well, that I dare give a try. Thanks, - Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309181721.H8IHLA3P006459>