ipfw: install_state: entry already present, done

Thu, 01 Oct 2009 14:46:50 -0700

Haven't gotten any response on -questions so trying here. I've also opened a PR (kern/139226) but it's gotten no replies so I figured I should try here since I'm not certain if it's a bug or not. Regardless I am hoping for at least a work-around -- a few extra rules or settings to keep my console from being flooded by errors. So far only option I found is commenting out the error display line in the kernel source which is far from optimal.
I'm trying to setup a stateful firewall for my server such that any traffic can go out, and it's reply come back -- a fairly typical workstation setup. However I'm getting the error message "ipfw: install_state: entry already present, done" repeated many times in my logs (tho the rules seemed to work fine otherwise). 


I stripped down the rules to the minimum I could and discovered the line 
causing it is "allow udp from me to any keep-state".



Only seems to happen when I have bind running as a slave dns server (not 
publicly listed, just the zone replication traffic causes the error) but 
I assume any other large source of UDP traffic would also do it.


Full firewall rules:

   dns2# ipfw list
   00100 allow ip from any to any via lo0
   00200 deny ip from any to 127.0.0.0/8
   00300 deny ip from 127.0.0.0/8 to any
   00400 allow udp from me to any keep-state
   65535 deny ip from any to any


I found some search results for this error message, but none seem to 
have a solution to the problem.



I also tried adding at the start "allow { tcp or udp } from any to me 
dst-port 53" and "allow { tcp or udp } from me to any uid bind" which 
means the keepstate rule shouldn't even be getting hit much, but I still 
get a flood of errors.


System info:
dns2# uname -a

FreeBSD dns2 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #0: Wed Jun 24 
00:14:35 UTC 2009     
r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64


Hardware: virtual server under vmWare ESXi (not that that should matter)

network card: em0


--
Chris St Denis
Programmer
SmarttNet (www.smartt.com)
Ph: 604-473-9700 Ext. 200
-------------------------------------------

"Smart Internet Solutions For Businesses" 


_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"






















					Reply via email to