From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 8 03:18:50 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 911E7106566B for ; Thu, 8 Oct 2009 03:18:50 +0000 (UTC) (envelope-from me@sharktooth.org) Received: from onyx.sharktooth.org (166-70-186-42.ip.xmission.com [166.70.186.42]) by mx1.freebsd.org (Postfix) with ESMTP id 70A718FC08 for ; Thu, 8 Oct 2009 03:18:50 +0000 (UTC) Received: from localhost.sharktooth.org ([::1] helo=users.sharktooth.org) by onyx.sharktooth.org with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1MvixV-000NU9-Ns; Wed, 07 Oct 2009 20:42:28 -0600 Received: from 71.199.19.70 (SquirrelMail authenticated user me@sharktooth.org) by users.sharktooth.org with HTTP; Wed, 7 Oct 2009 20:42:25 -0600 (MDT) Message-ID: <8d923f617db88c873c63bb2038752147.squirrel@users.sharktooth.org> In-Reply-To: <4AC52918.2020705@smartt.com> References: <4AC51F18.5050703@smartt.com> <4AC52918.2020705@smartt.com> Date: Wed, 7 Oct 2009 20:42:25 -0600 (MDT) From: "Jason Lewis" To: "Chris St Denis" User-Agent: SquirrelMail/1.4.16 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Mail-From: me@sharktooth.org X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on onyx.sharktooth.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=ham version=3.1.7 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on onyx.sharktooth.org) Cc: freebsd-ipfw@freebsd.org, Freddie Cash Subject: Re: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 03:18:50 -0000 Did you try a check_state? I am using this same rule structure on BSD6 without a problem. Thanks, Jason http://jasonlewis.yaritz.net > Freddie Cash wrote: >> On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis wrote: >> >> >>> Haven't gotten any response on -questions so trying here. I've also >>> opened >>> a PR (kern/139226) but it's gotten no replies so I figured I should try >>> here >>> since I'm not certain if it's a bug or not. Regardless I am hoping for >>> at >>> least a work-around -- a few extra rules or settings to keep my console >>> from >>> being flooded by errors. So far only option I found is commenting out >>> the >>> error display line in the kernel source which is far from optimal. >>> >>> I'm trying to setup a stateful firewall for my server such that any >>> traffic >>> can go out, and it's reply come back -- a fairly typical workstation >>> setup. >>> However I'm getting the error message "ipfw: install_state: entry >>> already >>> present, done" repeated many times in my logs (tho the rules seemed to >>> work >>> fine otherwise). >>> >>> I stripped down the rules to the minimum I could and discovered the >>> line >>> causing it is "allow udp from me to any keep-state". >>> >>> Only seems to happen when I have bind running as a slave dns server >>> (not >>> publicly listed, just the zone replication traffic causes the error) >>> but I >>> assume any other large source of UDP traffic would also do it. >>> >>> Full firewall rules: >>> >>> dns2# ipfw list >>> 00100 allow ip from any to any via lo0 >>> 00200 deny ip from any to 127.0.0.0/8 >>> 00300 deny ip from 127.0.0.0/8 to any >>> 00400 allow udp from me to any keep-state >>> 65535 deny ip from any to any >>> >>> >>> >> If you add "out xmit em0" to the udp rule, do the errors stop > I added that and restarted bind (thus generating a bunch of UDP traffic) > and the error still floods the console. > > Current rule set: > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 allow udp from me to any out xmit em0 keep-state > 00500 allow ip from any to any > 65535 deny ip from any to any > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >