From owner-freebsd-questions@FreeBSD.ORG Thu Nov 4 18:25:04 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5762B16A4CE for ; Thu, 4 Nov 2004 18:25:04 +0000 (GMT) Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com [66.111.4.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8F5B43D39 for ; Thu, 4 Nov 2004 18:25:02 +0000 (GMT) (envelope-from nkinkade@fastmail.fm) Received: from frontend2.messagingengine.com (frontend2.internal [10.202.2.151]) by frontend1.messagingengine.com (Postfix) with ESMTP id 50F0FC36BD1 for ; Thu, 4 Nov 2004 13:25:01 -0500 (EST) X-Sasl-enc: ykBI56sWEMCT1nw+QKHbhw 1099592699 Received: from gentoo-npk.bmp.ub (unknown [206.27.244.136]) by www.fastmail.fm (Postfix) with ESMTP id 000D156F784 for ; Thu, 4 Nov 2004 13:24:58 -0500 (EST) Received: from nkinkade by gentoo-npk.bmp.ub with local (Exim 4.21) id 1CPmBU-00074X-Iq for freebsd-questions@freebsd.org; Thu, 04 Nov 2004 12:18:08 -0600 Date: Thu, 4 Nov 2004 12:18:08 -0600 From: Nathan Kinkade To: freebsd-questions@freebsd.org Message-ID: <20041104181808.GR13601@gentoo-npk.bmp.ub> Mail-Followup-To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qcTtWMBd/uZDG7+Y" Content-Disposition: inline User-Agent: Mutt/1.5.6i Sender: Subject: kernel: Limiting open port RST X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nathan Kinkade List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 18:25:04 -0000 --qcTtWMBd/uZDG7+Y Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I am getting a tremendous amount of messages on a particular server saying something close to: kernel: Limiting open port RST response from 302 to 200 packets/sec I understand the reasons for the message, but I'm having a hard time tracking down a possible point source. Neither ethereal nor tcpdump seem to be picking up any packets with the TCP RST bit set. I have tried this, for example: # tcpdump 'tcp[tcpflags] & tcp-rst =3D 1' =2E.. but get nothing. I have also tried adding a logging rule to ipfw, such as: # ipfw add allow log tcp from me to any tcpflags rst However, the logged results don't appear to be correct. Log messages do show up in /var/log/security, but at the rate of about 1 message every 4 or 5 seconds, which doesn't seem consistent with a rate limit of 200 packets/sec being implemented. Basically, I'm wanting to find out if the machine(s) causing this are coming from the internal network, or outside. And if coming from inside, which machine is flooding the server with bogus SYN requests to non-listening ports. TCP and UDP blackhole sysctls are also already setup, and it appears that the RST packets are being sent out to internet hosts with a dstport of 80. The machine being affected is running squid. Does anyone have advice on this? =20 Thanks, Nathan --=20 PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xD8527E49 --qcTtWMBd/uZDG7+Y Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBinJgO0ZIEthSfkkRAlJ9AKDNvIa+KwgkBSd6PpdmTcur4Yg0sgCg5sqT vjGP3ouvDJ7zgGwYTt7ZVUE= =2qDa -----END PGP SIGNATURE----- --qcTtWMBd/uZDG7+Y--