Date: Thu, 4 Nov 2004 14:30:49 -0600 From: Nathan Kinkade <nkinkade@ub.edu.bz> To: Charles Swiger <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: Re: kernel: Limiting open port RST Message-ID: <20041104203049.GS13601@gentoo-npk.bmp.ub> In-Reply-To: <C0C39C5D-2E92-11D9-8097-003065ABFD92@mac.com> References: <20041104181808.GR13601@gentoo-npk.bmp.ub> <C0C39C5D-2E92-11D9-8097-003065ABFD92@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--FmdPcZLZZW6lDAYm Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 04, 2004 at 01:53:01PM -0500, Charles Swiger wrote: > On Nov 4, 2004, at 1:18 PM, Nathan Kinkade wrote: > >I am getting a tremendous amount of messages on a particular server > >saying something close to: > > > >kernel: Limiting open port RST response from 302 to 200 packets/sec >=20 > This generally means the system is being portscanned. This is what I have suspected, and it doesn't bother me too much except for the fact that it has been happening since yesterday, which should rule out any simple portscan by a single host. Also, normal TCP-connect scans should never be able to get to the server through the firewall, except from inside our network, but the RST packets *seem* to be going to random Internet hosts. <snip> > If you turn on the blackhole sysctls, then your machine will not=20 > generate RST packets. Caveat operator. :-) Yes, the blackhole sysctls are, and have been, on, which is part of the reason that I am baffled about the syslog messages. =20 > >Does anyone have advice on this? >=20 > If this machine is not supposed to be completely exposed on the 'net,=20 > consider putting it behind a firewall. This machine is behind an ipfw firewall, and there is not a single rule that allow in-bound connections to this server. However, the firewall does allow all established connections through. Since this machine is running natd and squid it also has ipfw active. So when I add this rule: # ipfw add 350 allow log tcp from me to any tcpflags rst I get messages like the following in /var/log/security at the rate of about 1 every 4 or 5 seconds: kernel: ipfw: 350 Accept TCP <server ip>:53505 65.216.123.144:80 out via xl0 kernel: ipfw: 350 Accept TCP <server ip>:59624 66.244.221.7:80 out via xl0 kernel: ipfw: 350 Accept TCP <server ip>:58126 219.129.216.116:80 out via x= l0 kernel: ipfw: 350 Accept TCP <server ip>:55069 207.68.167.254:80 out via xl0 kernel: ipfw: 350 Accept TCP <server ip>:59656 65.77.211.156:80 out via xl0 I'm not sure I understand why the RST packets are begin sent to seemingly random Internet hosts, all to a dstport 80. So this just adds to the mystery of how any host is getting a SYN packet through to this machine through the firewall, and further why the blackhole sysctls are not causing the packets to be silently dropped. Has anyone seen something like this? This machine is running 5.2.1-RELEASE-p9. Nathan --=20 PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xD8527E49 --FmdPcZLZZW6lDAYm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBipF5O0ZIEthSfkkRAkI+AKC0x4B352b8prCNKILDyGky9X75lwCg3T7a 1CLYKOm2PfueGAXGylKqF3U= =Z7As -----END PGP SIGNATURE----- --FmdPcZLZZW6lDAYm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041104203049.GS13601>