Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Sep 2002 11:56:47 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        MIchael <soppscum@online.no>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: OUCH! Cannot remove rules, count 1
Message-ID:  <20020919115647.A81653@iguana.icir.org>
In-Reply-To: <20020919195054.4040d14a.soppscum@online.no>; from soppscum@online.no on Thu, Sep 19, 2002 at 07:50:54PM %2B0200
References:  <20020919195054.4040d14a.soppscum@online.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Sep 19, 2002 at 07:50:54PM +0200, MIchael wrote:
> I'm getting alot of "OUCH! cannot remove rules, count 1" in my logs laitly
> Does anyone know what this means?

it is a bug in the ipfw1 code.
But also you have a bug in your ruleset too, because you must not
specify both "keep-state" and "limit".

All this is fixed in ipfw2 (which properly flags the invalid rules),
so i suggest you to upgrade your firewall code to ipfw2

	cheers
	luigi

> Searching google it seems that it's related to the limit option in ipfw.
> 
> I'm running FreeBSD 4.6.2 on a Cyrix166 with 49ram
> rules with limit in my firewall script :
> 
> $cmd 00641 allow tcp from any to any 2001 in via $oif setup keep-state limit src-addr 4
> $cmd 00642 allow udp from any to any 2001 in via $oif keep-state limit src-addr 4
> $cmd 00643 allow tcp from any to any 2002 in via $oif setup keep-state limit src-addr 4
> $cmd 00644 allow udp from any to any 2002 in via $oif keep-state limit src-addr 4
> $cmd 00645 allow tcp from any to any 2003 in via $oif setup keep-state limit src-addr 4
> $cmd 00646 allow udp from any to any 2003 in via $oif keep-state limit src-addr 4
> $cmd 00600 allow tcp from any to any 80 in via $oif setup keep-state limit src-addr 4
> $cmd 00621 allow log tcp from any to me 9000 in via $oif setup keep-state limit src-addr 4
> $cmd 00640 reset log tcp from any to me 113  in via $oif limit src-addr 4
> 
> Thanks
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020919115647.A81653>