On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis <ch...@smartt.com> wrote:
> Haven't gotten any response on -questions so trying here. I've also opened > a PR (kern/139226) but it's gotten no replies so I figured I should try here > since I'm not certain if it's a bug or not. Regardless I am hoping for at > least a work-around -- a few extra rules or settings to keep my console from > being flooded by errors. So far only option I found is commenting out the > error display line in the kernel source which is far from optimal. > > I'm trying to setup a stateful firewall for my server such that any traffic > can go out, and it's reply come back -- a fairly typical workstation setup. > However I'm getting the error message "ipfw: install_state: entry already > present, done" repeated many times in my logs (tho the rules seemed to work > fine otherwise). > > I stripped down the rules to the minimum I could and discovered the line > causing it is "allow udp from me to any keep-state". > > Only seems to happen when I have bind running as a slave dns server (not > publicly listed, just the zone replication traffic causes the error) but I > assume any other large source of UDP traffic would also do it. > > Full firewall rules: > > dns2# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 allow udp from me to any keep-state > 65535 deny ip from any to any > > If you add "out xmit em0" to the udp rule, do the errors stop? -- Freddie Cash fjwc...@gmail.com _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"