Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 01 Oct 2009 14:28:56 -0700
From:      Chris St Denis <chris@smartt.com>
To:        freebsd-ipfw@freebsd.org
Subject:   ipfw: install_state: entry already present, done
Message-ID:  <4AC51F18.5050703@smartt.com>
next in thread | raw e-mail | index | archive | help 
Haven't gotten any response on -questions so trying here. I've also 
opened a PR (kern/139226) but it's gotten no replies so I figured I 
should try here since I'm not certain if it's a bug or not. Regardless I 
am hoping for at least a work-around -- a few extra rules or settings to 
keep my console from being flooded by errors. So far only option I found 
is commenting out the error display line in the kernel source which is 
far from optimal.

I'm trying to setup a stateful firewall for my server such that any 
traffic can go out, and it's reply come back -- a fairly typical 
workstation setup. However I'm getting the error message "ipfw: 
install_state: entry already present, done" repeated many times in my 
logs (tho the rules seemed to work fine otherwise).

I stripped down the rules to the minimum I could and discovered the line 
causing it is "allow udp from me to any keep-state".

Only seems to happen when I have bind running as a slave dns server (not 
publicly listed, just the zone replication traffic causes the error) but 
I assume any other large source of UDP traffic would also do it.

Full firewall rules:

    dns2# ipfw list
    00100 allow ip from any to any via lo0
    00200 deny ip from any to 127.0.0.0/8
    00300 deny ip from 127.0.0.0/8 to any
    00400 allow udp from me to any keep-state
    65535 deny ip from any to any

I found some search results for this error message, but none seem to 
have a solution to the problem.

I also tried adding at the start "allow { tcp or udp } from any to me 
dst-port 53" and "allow { tcp or udp } from me to any uid bind" which 
means the keepstate rule shouldn't even be getting hit much, but I still 
get a flood of errors.

System info:
dns2# uname -a
FreeBSD dns2 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #0: Wed Jun 24 
00:14:35 UTC 2009     
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

Hardware: virtual server under vmWare ESXi (not that that should matter)

network card: em0


-- 
Chris St Denis
Programmer
SmarttNet (www.smartt.com)
Ph: 604-473-9700 Ext. 200
-------------------------------------------
"Smart Internet Solutions For Businesses"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC51F18.5050703>