From owner-freebsd-questions@FreeBSD.ORG  Thu Sep 18 10:21:40 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0409016A4B3
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Sep 2003 10:21:40 -0700 (PDT)
Received: from asarian-host.net (mail.asarian-host.net [194.109.160.70])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D435143FBD
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Sep 2003 10:21:37 -0700 (PDT)
	(envelope-from admin@asarian-host.net)
Comments: To protect the identity of the sender, certain header
	fields are either not shown, or masked. Anonymous email
	accounts can be requested by filling in the appropriate
	form at: https://asarian-host.net/cgi-bin/signup.cgi
Received: (from root@localhost)
	by mail.asarian-host.net (8.12.9/8.12.9) id h8IHLa58006468
	for freebsd-questions@freebsd.org;
	Thu, 18 Sep 2003 19:21:36 +0200 (CEST)
	(envelope-from admin@asarian-host.net)
From: Mark <admin@asarian-host.net>
Message-Id: <200309181721.H8IHLA3P006459@asarian-host.net>
Date: Thu, 18 Sep 2003 17:21:36 GMT
X-Authenticated-Sender: admin@asarian-host.net
X-Trace: N7tEYKz+9BJmCmKI7MlyIwZ23bLwk+Psgwr2iE5J9n4CYYF0Tlmm49DVHmjmvfO1jM7D52yCcua+j2XpA3WIcA==
X-Complaints-To: abuse@asarian-host.net
X-Abuse-Info: Please be sure to forward a copy of ALL headers
X-Abuse-Info: Otherwise we are unable to process your complaint
Organization: Asarian-host
To: "Josh Paetzel" <friar_josh@webwarrior.net>
References: <200309180021.H8I0LW3P072727@asarian-host.net>
	<20030918005303.GJ27665@tcbug.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Auth: Asarian-host PGP signature
	iQEVAwUAP2npoDFqW1BleBN9AQFcQQf/fFgekE+UvP8wNDdQ3g0dzky1nyJezQSY
	Y4Ml4BibaYeMQFFlkDenhkoavnITOAC2Dcd8zaX8FxBv8QUpmZZBTTKuzeK4FXyo
	UlBe2kK2X8e/0Kc4KRKLTRwB4ftBGN8RGA+u75a8bEKPhlb+uI/qlv1gq9JJGSDq
	t32/UFLYMLUPnMJ2FdHEGB3JChV99YulwjMiZPPh/ol4RMKJ0VOad1p9BCB+YB9M
	l5wifLlNTjI209JutyzJFv6qGc/xaQ5UrIEE1+PHolq6pSUNIXN7YfG0A9UxXCLn
	tCEmmlJLmlNkchbpiy+ZKZbtUCdinN7BNnz5QcK9H1CcBT9wuYF6qA==
	=LlYK
cc: freebsd-questions@freebsd.org
Subject: Re: Ipfw on the fritz?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2003 17:21:40 -0000

----- Original Message -----
From: "Josh Paetzel" <friar_josh@webwarrior.net>
To: "Mark" <admin@asarian-host.net>
Cc: <freebsd-questions@freebsd.org>
Sent: Thursday, September 18, 2003 2:54 AM
Subject: Re: Ipfw on the fritz?

> On Thu, Sep 18, 2003 at 12:21:58AM +0000, Mark wrote:
>
> > Eek, I just got these eery messages in /var/log/messages:
> >
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 2
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 2
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1
> >
> > That does not look good. :( I run FreeBSD 4.7R. Today I added a few
> > rules using "limit src-addr". Could that be it? And what does it mean?
> > Are some rules broken after this? I never had this happen before. Why
> > would ipfw even want to remove rules?
> >
> > Baffled & Concerned,
> >
> > - Mark
>
> The following thread may be of interest to you:
>
> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-June/000215.html

Thank you for the thread. But a bad situation just got worse; all of a
sudden I got these too:

Sep 18 17:45:06 asarian-host /kernel: drop session, too many entries
Sep 18 17:45:06 asarian-host /kernel: drop session, too many entries
Sep 18 17:45:16 asarian-host /kernel: drop session, too many entries
Sep 18 17:45:16 asarian-host /kernel: drop session, too many entries

Too many entries? I have "net.inet.ip.fw.dyn_max" set to 1000. And there are
certainly not a 1000+ dynamic rules. Well, thinking out loud, there would be
if "OUCH! cannot remove rule". :(

Is there an ipfw patch somewhere, so I can rebuild the kernel? I do not wish
to perform a cvsup, as that tends to make the system unstable. But if I can
compile a new kernel on a Vmware box, and then copy over /kernel to the real
server, well, that I dare give a try.

Thanks,

- Mark