Freddie Cash wrote:
On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis <[email protected]> wrote:
Haven't gotten any response on -questions so trying here. I've also opened
a PR (kern/139226) but it's gotten no replies so I figured I should try here
since I'm not certain if it's a bug or not. Regardless I am hoping for at
least a work-around -- a few extra rules or settings to keep my console from
being flooded by errors. So far only option I found is commenting out the
error display line in the kernel source which is far from optimal.
I'm trying to setup a stateful firewall for my server such that any traffic
can go out, and it's reply come back -- a fairly typical workstation setup.
However I'm getting the error message "ipfw: install_state: entry already
present, done" repeated many times in my logs (tho the rules seemed to work
fine otherwise).
I stripped down the rules to the minimum I could and discovered the line
causing it is "allow udp from me to any keep-state".
Only seems to happen when I have bind running as a slave dns server (not
publicly listed, just the zone replication traffic causes the error) but I
assume any other large source of UDP traffic would also do it.
Full firewall rules:
dns2# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow udp from me to any keep-state
65535 deny ip from any to any
If you add "out xmit em0" to the udp rule, do the errors stop
I added that and restarted bind (thus generating a bunch of UDP traffic)
and the error still floods the console.
Current rule set:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow udp from me to any out xmit em0 keep-state
00500 allow ip from any to any
65535 deny ip from any to any
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"
