ipfw: install_state: entry already present, done
Jason Lewis
me at sharktooth.org
Thu Oct 8 03:18:50 UTC 2009
Did you try a check_state? I am using this same rule structure on BSD6
without a problem.
Thanks,
Jason
http://jasonlewis.yaritz.net
> Freddie Cash wrote:
>> On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis <chris at smartt.com> wrote:
>>
>>
>>> Haven't gotten any response on -questions so trying here. I've also
>>> opened
>>> a PR (kern/139226) but it's gotten no replies so I figured I should try
>>> here
>>> since I'm not certain if it's a bug or not. Regardless I am hoping for
>>> at
>>> least a work-around -- a few extra rules or settings to keep my console
>>> from
>>> being flooded by errors. So far only option I found is commenting out
>>> the
>>> error display line in the kernel source which is far from optimal.
>>>
>>> I'm trying to setup a stateful firewall for my server such that any
>>> traffic
>>> can go out, and it's reply come back -- a fairly typical workstation
>>> setup.
>>> However I'm getting the error message "ipfw: install_state: entry
>>> already
>>> present, done" repeated many times in my logs (tho the rules seemed to
>>> work
>>> fine otherwise).
>>>
>>> I stripped down the rules to the minimum I could and discovered the
>>> line
>>> causing it is "allow udp from me to any keep-state".
>>>
>>> Only seems to happen when I have bind running as a slave dns server
>>> (not
>>> publicly listed, just the zone replication traffic causes the error)
>>> but I
>>> assume any other large source of UDP traffic would also do it.
>>>
>>> Full firewall rules:
>>>
>>> dns2# ipfw list
>>> 00100 allow ip from any to any via lo0
>>> 00200 deny ip from any to 127.0.0.0/8
>>> 00300 deny ip from 127.0.0.0/8 to any
>>> 00400 allow udp from me to any keep-state
>>> 65535 deny ip from any to any
>>>
>>>
>>>
>> If you add "out xmit em0" to the udp rule, do the errors stop
> I added that and restarted bind (thus generating a bunch of UDP traffic)
> and the error still floods the console.
>
> Current rule set:
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 allow udp from me to any out xmit em0 keep-state
> 00500 allow ip from any to any
> 65535 deny ip from any to any
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list