Ipfw on the fritz?

Mark admin at asarian-host.net
Thu Sep 18 10:21:40 PDT 2003 

----- Original Message -----
From: "Josh Paetzel" <friar_josh at webwarrior.net>
To: "Mark" <admin at asarian-host.net>
Cc: <freebsd-questions at freebsd.org>
Sent: Thursday, September 18, 2003 2:54 AM
Subject: Re: Ipfw on the fritz?

> On Thu, Sep 18, 2003 at 12:21:58AM +0000, Mark wrote:
>
> > Eek, I just got these eery messages in /var/log/messages:
> >
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 2
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 2
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1
> > Sep 18 02:00:18 asarian-host /kernel: OUCH! cannot remove rule, count 1
> >
> > That does not look good. :( I run FreeBSD 4.7R. Today I added a few
> > rules using "limit src-addr". Could that be it? And what does it mean?
> > Are some rules broken after this? I never had this happen before. Why
> > would ipfw even want to remove rules?
> >
> > Baffled & Concerned,
> >
> > - Mark
>
> The following thread may be of interest to you:
>
> http://lists.freebsd.org/pipermail/freebsd-ipfw/2003-June/000215.html

Thank you for the thread. But a bad situation just got worse; all of a
sudden I got these too:

Sep 18 17:45:06 asarian-host /kernel: drop session, too many entries
Sep 18 17:45:06 asarian-host /kernel: drop session, too many entries
Sep 18 17:45:16 asarian-host /kernel: drop session, too many entries
Sep 18 17:45:16 asarian-host /kernel: drop session, too many entries

Too many entries? I have "net.inet.ip.fw.dyn_max" set to 1000. And there are
certainly not a 1000+ dynamic rules. Well, thinking out loud, there would be
if "OUCH! cannot remove rule". :(

Is there an ipfw patch somewhere, so I can rebuild the kernel? I do not wish
to perform a cvsup, as that tends to make the system unstable. But if I can
compile a new kernel on a Vmware box, and then copy over /kernel to the real
server, well, that I dare give a try.

Thanks,

- Mark

More information about the freebsd-questions mailing list