Date: Thu, 01 Oct 2009 15:11:36 -0700 From: Chris St Denis <chris@smartt.com> To: Freddie Cash <fjwcash@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw: install_state: entry already present, done Message-ID: <4AC52918.2020705@smartt.com> In-Reply-To: <b269bc570910011455i7fd46379p720a38a7ff50260e@mail.gmail.com> References: <4AC51F18.5050703@smartt.com> <b269bc570910011455i7fd46379p720a38a7ff50260e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Freddie Cash wrote: > On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis <chris@smartt.com> wrote: > > >> Haven't gotten any response on -questions so trying here. I've also opened >> a PR (kern/139226) but it's gotten no replies so I figured I should try here >> since I'm not certain if it's a bug or not. Regardless I am hoping for at >> least a work-around -- a few extra rules or settings to keep my console from >> being flooded by errors. So far only option I found is commenting out the >> error display line in the kernel source which is far from optimal. >> >> I'm trying to setup a stateful firewall for my server such that any traffic >> can go out, and it's reply come back -- a fairly typical workstation setup. >> However I'm getting the error message "ipfw: install_state: entry already >> present, done" repeated many times in my logs (tho the rules seemed to work >> fine otherwise). >> >> I stripped down the rules to the minimum I could and discovered the line >> causing it is "allow udp from me to any keep-state". >> >> Only seems to happen when I have bind running as a slave dns server (not >> publicly listed, just the zone replication traffic causes the error) but I >> assume any other large source of UDP traffic would also do it. >> >> Full firewall rules: >> >> dns2# ipfw list >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00300 deny ip from 127.0.0.0/8 to any >> 00400 allow udp from me to any keep-state >> 65535 deny ip from any to any >> >> >> > If you add "out xmit em0" to the udp rule, do the errors stop I added that and restarted bind (thus generating a bunch of UDP traffic) and the error still floods the console. Current rule set: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 allow udp from me to any out xmit em0 keep-state 00500 allow ip from any to any 65535 deny ip from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC52918.2020705>