Did you try a check_state? I am using this same rule structure on BSD6 without a problem.
Thanks, Jason http://jasonlewis.yaritz.net > Freddie Cash wrote: >> On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis <[email protected]> wrote: >> >> >>> Haven't gotten any response on -questions so trying here. I've also >>> opened >>> a PR (kern/139226) but it's gotten no replies so I figured I should try >>> here >>> since I'm not certain if it's a bug or not. Regardless I am hoping for >>> at >>> least a work-around -- a few extra rules or settings to keep my console >>> from >>> being flooded by errors. So far only option I found is commenting out >>> the >>> error display line in the kernel source which is far from optimal. >>> >>> I'm trying to setup a stateful firewall for my server such that any >>> traffic >>> can go out, and it's reply come back -- a fairly typical workstation >>> setup. >>> However I'm getting the error message "ipfw: install_state: entry >>> already >>> present, done" repeated many times in my logs (tho the rules seemed to >>> work >>> fine otherwise). >>> >>> I stripped down the rules to the minimum I could and discovered the >>> line >>> causing it is "allow udp from me to any keep-state". >>> >>> Only seems to happen when I have bind running as a slave dns server >>> (not >>> publicly listed, just the zone replication traffic causes the error) >>> but I >>> assume any other large source of UDP traffic would also do it. >>> >>> Full firewall rules: >>> >>> dns2# ipfw list >>> 00100 allow ip from any to any via lo0 >>> 00200 deny ip from any to 127.0.0.0/8 >>> 00300 deny ip from 127.0.0.0/8 to any >>> 00400 allow udp from me to any keep-state >>> 65535 deny ip from any to any >>> >>> >>> >> If you add "out xmit em0" to the udp rule, do the errors stop > I added that and restarted bind (thus generating a bunch of UDP traffic) > and the error still floods the console. > > Current rule set: > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 allow udp from me to any out xmit em0 keep-state > 00500 allow ip from any to any > 65535 deny ip from any to any > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "[email protected]" > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
