From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 1 21:55:13 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C720106568D for ; Thu, 1 Oct 2009 21:55:13 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-gx0-f214.google.com (mail-gx0-f214.google.com [209.85.217.214]) by mx1.freebsd.org (Postfix) with ESMTP id 1732C8FC16 for ; Thu, 1 Oct 2009 21:55:12 +0000 (UTC) Received: by gxk6 with SMTP id 6so650782gxk.13 for ; Thu, 01 Oct 2009 14:55:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=A2mod+Grn7HIRufEVwHxVQGofoRBqsMIby55WGB2yCo=; b=G9+o3XT6aOVvfRZuOomWlyckNM6gkqjT9i8nAfWJ/KoQAN693Wu0l6KUi8v/WhLyd2 Lm/BlVj76N3CdJ3ce9oGCd2kalHUNy5Jl3ic1tFh/qhhZautSSKX/kMNFWKvBeHEAWWH 897rDzZSX5RLQP6D/Vb++I/GN+nQ59KSW24lU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Jq1Kyzioy+55ZKOsKMwqzjAi2T4EGq+z8hoRDViTiE7ViS798z+UQRj713inSHq5Ru XT+/tvpj/R5PBcOESc/Y9YLHyJ3QTCcpILHLspfHW+OYfkEHhEqp+NA7ta3H5e4UUudo F5+t/+kFh+hV8S0YY5Qsdh5LNzrWlRSBAMy/o= MIME-Version: 1.0 Received: by 10.150.110.4 with SMTP id i4mr3113082ybc.255.1254434112367; Thu, 01 Oct 2009 14:55:12 -0700 (PDT) In-Reply-To: <4AC51F18.5050703@smartt.com> References: <4AC51F18.5050703@smartt.com> Date: Thu, 1 Oct 2009 14:55:12 -0700 Message-ID: From: Freddie Cash To: Chris St Denis Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 21:55:13 -0000 On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis wrote: > Haven't gotten any response on -questions so trying here. I've also opened > a PR (kern/139226) but it's gotten no replies so I figured I should try here > since I'm not certain if it's a bug or not. Regardless I am hoping for at > least a work-around -- a few extra rules or settings to keep my console from > being flooded by errors. So far only option I found is commenting out the > error display line in the kernel source which is far from optimal. > > I'm trying to setup a stateful firewall for my server such that any traffic > can go out, and it's reply come back -- a fairly typical workstation setup. > However I'm getting the error message "ipfw: install_state: entry already > present, done" repeated many times in my logs (tho the rules seemed to work > fine otherwise). > > I stripped down the rules to the minimum I could and discovered the line > causing it is "allow udp from me to any keep-state". > > Only seems to happen when I have bind running as a slave dns server (not > publicly listed, just the zone replication traffic causes the error) but I > assume any other large source of UDP traffic would also do it. > > Full firewall rules: > > dns2# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 allow udp from me to any keep-state > 65535 deny ip from any to any > > If you add "out xmit em0" to the udp rule, do the errors stop? -- Freddie Cash fjwcash@gmail.com