From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 16 23:11:59 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49B5910656A7 for ; Fri, 16 Oct 2009 23:11:59 +0000 (UTC) (envelope-from chris@smartt.com) Received: from mailout3.smartt.com (mailout3.smartt.com [69.67.187.28]) by mx1.freebsd.org (Postfix) with ESMTP id 22E548FC16 for ; Fri, 16 Oct 2009 23:11:59 +0000 (UTC) Received: from [69.31.174.220] (unknown [69.31.174.220]) by mailout3.smartt.com (Postfix) with ESMTPA id B5F3310E498; Fri, 16 Oct 2009 16:11:53 -0700 (PDT) Message-ID: <4AD8FDD0.30008@smartt.com> Date: Fri, 16 Oct 2009 16:12:16 -0700 From: Chris St Denis User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Jason Lewis References: <4AC51F18.5050703@smartt.com> <4AC52918.2020705@smartt.com> <8d923f617db88c873c63bb2038752147.squirrel@users.sharktooth.org> <4ACF9341.2040406@smartt.com> In-Reply-To: <4ACF9341.2040406@smartt.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Freddie Cash Subject: Re: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Oct 2009 23:11:59 -0000 This is definitely a regression in 7.2. Downgrades to 6.4, 7.0, 7.1 did not show this symptom. Upgrade the test server back to 7.2 and the messages come back. Chris St Denis wrote: > check_state doesn't help. The error is also generated from the rc.conf > firewall_type="workstation" rule set which includes check_state among > several other rules. > > I made a copy of this server (it's a virtual server under WMware) and > downgraded it to 6.4-RELEASE-p7 and I no longer get the error. > > I downgraded another copy to 7.2-RELEASE (no patches) by copying the > generic kernel off the CD. Still gets errors. > > Downgraded it to 7.0-RELEASE and the message stopped. > > I'm going to try going to 7.1 and see which behavior it has. > > Looks like there may have been a regression in 7.2 (or maybe 7.1 > pending the results of my further testing) > > > Jason Lewis wrote: >> Did you try a check_state? I am using this same rule structure on BSD6 >> without a problem. >> >> Thanks, >> Jason >> http://jasonlewis.yaritz.net >> >> >>> Freddie Cash wrote: >>> >>>> On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis >>>> wrote: >>>> >>>> >>>> >>>>> Haven't gotten any response on -questions so trying here. I've also >>>>> opened >>>>> a PR (kern/139226) but it's gotten no replies so I figured I >>>>> should try >>>>> here >>>>> since I'm not certain if it's a bug or not. Regardless I am hoping >>>>> for >>>>> at >>>>> least a work-around -- a few extra rules or settings to keep my >>>>> console >>>>> from >>>>> being flooded by errors. So far only option I found is commenting out >>>>> the >>>>> error display line in the kernel source which is far from optimal. >>>>> >>>>> I'm trying to setup a stateful firewall for my server such that any >>>>> traffic >>>>> can go out, and it's reply come back -- a fairly typical workstation >>>>> setup. >>>>> However I'm getting the error message "ipfw: install_state: entry >>>>> already >>>>> present, done" repeated many times in my logs (tho the rules >>>>> seemed to >>>>> work >>>>> fine otherwise). >>>>> >>>>> I stripped down the rules to the minimum I could and discovered the >>>>> line >>>>> causing it is "allow udp from me to any keep-state". >>>>> >>>>> Only seems to happen when I have bind running as a slave dns server >>>>> (not >>>>> publicly listed, just the zone replication traffic causes the error) >>>>> but I >>>>> assume any other large source of UDP traffic would also do it. >>>>> >>>>> Full firewall rules: >>>>> >>>>> dns2# ipfw list >>>>> 00100 allow ip from any to any via lo0 >>>>> 00200 deny ip from any to 127.0.0.0/8 >>>>> 00300 deny ip from 127.0.0.0/8 to any >>>>> 00400 allow udp from me to any keep-state >>>>> 65535 deny ip from any to any >>>>> >>>>> >>>>> >>>>> >>>> If you add "out xmit em0" to the udp rule, do the errors stop >>>> >>> I added that and restarted bind (thus generating a bunch of UDP >>> traffic) >>> and the error still floods the console. >>> >>> Current rule set: >>> 00100 allow ip from any to any via lo0 >>> 00200 deny ip from any to 127.0.0.0/8 >>> 00300 deny ip from 127.0.0.0/8 to any >>> 00400 allow udp from me to any out xmit em0 keep-state >>> 00500 allow ip from any to any >>> 65535 deny ip from any to any >>> >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > -- Chris St Denis Programmer SmarttNet (www.smartt.com) Ph: 604-473-9700 Ext. 200 ------------------------------------------- "Smart Internet Solutions For Businesses"