From owner-freebsd-questions@FreeBSD.ORG Thu Sep 24 22:23:01 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8AD51065692 for ; Thu, 24 Sep 2009 22:23:00 +0000 (UTC) (envelope-from chris@smartt.com) Received: from barium.smartt.com (mailout3.smartt.com [69.67.187.28]) by mx1.freebsd.org (Postfix) with ESMTP id C23AB8FC0C for ; Thu, 24 Sep 2009 22:23:00 +0000 (UTC) Received: from [69.31.174.220] (unknown [69.31.174.220]) by barium.smartt.com (Postfix) with ESMTPA id 1581710E5B4 for ; Thu, 24 Sep 2009 15:03:22 -0700 (PDT) Message-ID: <4ABBECBF.8050505@smartt.com> Date: Thu, 24 Sep 2009 15:03:43 -0700 From: Chris St Denis User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw: install_state: entry already present, done X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Sep 2009 22:23:01 -0000 I'm trying to setup a stateful firewall for my server such that any traffic can go out, and it's reply come back. However I'm getting the error message "ipfw: install_state: entry already present, done" repeated many times in my logs (tho the rules seemed to work fine otherwise). I stripped down the rules to the minimum I could and discovered the line causing it is "allow udp from me to any keep-state". The similar line for TCP also causes it too if the "setup" keyword is left off. But UDP does not work if I put the setup keyword on it's line (because there is no setup for UDP I assume) Full firewall rules: dns2# ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 allow udp from me to any keep-state 65535 deny ip from any to any I found some search results for this error message, but none seem to have a solution to the problem. System info: dns2# uname -a FreeBSD dns2 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #0: Wed Jun 24 00:14:35 UTC 2009 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 Hardware: virtual server under vmWare ESXi (not that that should matter) network card: em0 -- Chris St Denis Programmer SmarttNet (www.smartt.com) Ph: 604-473-9700 Ext. 200 ------------------------------------------- "Smart Internet Solutions For Businesses"