From owner-freebsd-ipfw@FreeBSD.ORG  Thu Jun  5 04:10:20 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D89E137B404
	for <freebsd-ipfw@freebsd.org>; Thu,  5 Jun 2003 04:10:20 -0700 (PDT)
Received: from genua.rfc-networks.ie (genua.rfc-networks.ie [62.77.182.178])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EF3CC43FA3
	for <freebsd-ipfw@freebsd.org>; Thu,  5 Jun 2003 04:10:19 -0700 (PDT)
	(envelope-from philip.reynolds@rfc-networks.ie)
Received: from tear.domain (unknown [10.0.1.254])
	by genua.rfc-networks.ie (Postfix) with ESMTP id 81B6A54872
	for <freebsd-ipfw@freebsd.org>; Thu,  5 Jun 2003 12:10:17 +0100 (IST)
Received: by tear.domain (Postfix, from userid 1000)
	id EC2BF21150; Thu,  5 Jun 2003 11:10:17 +0000 (GMT)
Date: Thu, 5 Jun 2003 11:10:17 +0000
From: Philip Reynolds <philip.reynolds@rfc-networks.ie>
To: freebsd-ipfw@freebsd.org
Message-ID: <20030605111017.GB64530@rfc-networks.ie>
References: <20030605131543.266dfaba.nev@hotbox.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030605131543.266dfaba.nev@hotbox.ru>
X-Operating-System: FreeBSD 4.7-STABLE
X-URL: http://www.rfc-networks.ie
Subject: Re: IPFW OUCH! cannot remove rule, count 1
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: philip.reynolds@rfc-networks.ie
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2003 11:10:21 -0000

Andrew B <nev@hotbox.ru> 31 lines of wisdom included:
> allow tcp from any to me 80 limit src-addr 50 in recv em0
> allow tcp from me 80 to any out xmit em0
> 
> But it seems that dynamic rules are not removing cleanly so 
> i can see thess messages:
> 
> Jun  5 05:53:29 www /kernel: OUCH! cannot remove rule, count 1
> Jun  5 05:53:29 www /kernel: OUCH! cannot remove rule, count 2
> 
> 
> I found this in ip_fw.c:
> 
> if (pass == 1) /* should not happen */
>                         printf("OUCH! cannot remove rule, count %d\n",

Can you CVSup, there were problems with limit in previous releases,
newer versions fix this IIRC.

Phil.
-- 
Philip Reynolds                      | RFC Networks Ltd.
philip.reynolds@rfc-networks.ie      | +353 (0)1 8832063
http://people.rfc-networks.ie/~phil  | www.rfc-networks.ie