From owner-freebsd-questions@FreeBSD.ORG Fri Sep 2 10:15:20 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F92216A41F for ; Fri, 2 Sep 2005 10:15:20 +0000 (GMT) (envelope-from quakenet1@optusnet.com.au) Received: from mail12.syd.optusnet.com.au (mail12.syd.optusnet.com.au [211.29.132.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BFBB43D45 for ; Fri, 2 Sep 2005 10:15:19 +0000 (GMT) (envelope-from quakenet1@optusnet.com.au) Received: from [10.0.0.3] (c220-239-13-242.belrs4.nsw.optusnet.com.au [220.239.13.242]) by mail12.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id j82AFGko015718; Fri, 2 Sep 2005 20:15:17 +1000 In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <8251946A-F176-4BE2-B60E-AF6D9F79FB03@optusnet.com.au> Content-Transfer-Encoding: 7bit From: Jerahmy Pocott Date: Fri, 2 Sep 2005 20:15:15 +1000 To: Dark Star X-Mailer: Apple Mail (2.734) Cc: freebsd-questions@freebsd.org Subject: Re: Limiting closed port X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Sep 2005 10:15:20 -0000 On 01/09/2005, at 7:20 PM, Dark Star wrote: > > Hello all, > > Im on FreeBSD 4.8-R > my logs since over 4 months always complaining from th follow: > > /kernel: Limiting closed port RST response from 243 to 200 > packets per second > /kernel: Limiting closed port RST response from 222 to 200 > packets per second > /kernel: Limiting closed port RST response from 238 to 200 > packets per second > > I think its sometype of scan or attack. A scan.. If someone tries to connect to a port that has no service attached to it, by default the server will send a RST (reset) packet back (for TCP).. Someone is trying to scan you very quickly, so generating a lot of RST packets (probably scanning a very large range of ports) and the kernel is reducing the amount it will send per second.. This isn't really a problem, you can also set it so that connections to closed ports will not generate a RST response, but you would no longer be compliant with the RFCs regarding TCP connections.. If you aren't running a firewall you should probably be running one anyway since it seems your system is exposed to the outside world.. Personally I wouldn't be worried about the above log, unless you are running services which allow connections from the outside and which are possibly not very secure (public ftp, old versions of named, etc)..