From owner-freebsd-net  Thu Aug  1 15:35:26 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2215E37B400; Thu,  1 Aug 2002 15:35:21 -0700 (PDT)
Received: from patrocles.silby.com (d90.as8.nwbl0.wi.voyager.net [169.207.132.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 9DE4443E5E; Thu,  1 Aug 2002 15:35:19 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: from patrocles.silby.com (localhost [127.0.0.1])
	by patrocles.silby.com (8.12.5/8.12.5) with ESMTP id g71MbxB1018264;
	Thu, 1 Aug 2002 17:37:59 -0500 (CDT)
	(envelope-from silby@silby.com)
Received: from localhost (silby@localhost)
	by patrocles.silby.com (8.12.5/8.12.5/Submit) with ESMTP id g71MburV018261;
	Thu, 1 Aug 2002 17:37:57 -0500 (CDT)
X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs
Date: Thu, 1 Aug 2002 17:37:55 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Anshuman Kanwar <akanwar@engineering.ucsb.edu>
Cc: freebsd-questions@freebsd.org, <freebsd-net@freebsd.org>
Subject: Re: RST limit and ICMP_BANDLIM
In-Reply-To: <Pine.LNX.4.33.0202060714280.12511-100000@linux22.engr.ucsb.edu>
Message-ID: <20020801172948.Y17087-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Thu, 1 Aug 2002, Anshuman Kanwar wrote:

> Hi all,
>
> I understand that RST packets are returned for TCP packets that are
> reseived for closed ports. And a log messsge of the form:
>
> Limiting closed port RST response from 233 to 200 packets per second
>
>
> is generated.
>
> My questions about this are:
>
>  1) What happens if the packets are dropped without returning a RST.
> Will this be against RFC specs.

Technically, yes.  In practice, rate limiting won't break anything.
(Well, unless DoS packets are getting all the RST responses, in which case
all hell has broken loose anyway.)

>  2) Is there a kernel option to enable the above behavior. I could not
> find anything in LINT.

I'm not sure what you're asking.

>  3) What is ICMP_BANDLIM ? and is it in any way related to these RSt
> responses ? If it is then should it not be called TCP_RST_LIMIT?
>
>     I am confused. Are we talking TCP or ICMP?

The ICMP_BANDLIM feature affects 5 different types of responses, see
the function badport_bandlim in ip_icmp.c.  The option was removed and
made a mandatory feature in 5.0, but it will continue to be called
ICMP_BANDLIM in 4.x.  Renaming it would just result in most people getting
annoyed at kernel configs changing.

> I searched the archives but they generally do not talk beyond saying that
> these messages are generated by NMAP scans. I need more details.

Because you're being attacked, or because I'm doing your homework for you?
:)

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message