From owner-freebsd-questions@FreeBSD.ORG Sun Oct 5 18:23:40 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 392E31065691 for ; Sun, 5 Oct 2008 18:23:40 +0000 (UTC) (envelope-from johnny64@swissjabber.org) Received: from www.real-net.sk (ftp.real-net.sk [89.202.239.1]) by mx1.freebsd.org (Postfix) with ESMTP id AB3088FC0C for ; Sun, 5 Oct 2008 18:23:39 +0000 (UTC) (envelope-from johnny64@swissjabber.org) Received: from localhost (unknown [127.0.0.1]) by www.real-net.sk (Postfix) with ESMTP id 5B144151A34B for ; Sun, 5 Oct 2008 18:23:37 +0000 (UTC) X-Virus-Scanned: amavisd-new 2.6.1 (20080629) at real-net.sk Received: from www.real-net.sk ([127.0.0.1]) by localhost (www.real-net.sk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6LdiFCHvV9ZY for ; Sun, 5 Oct 2008 20:23:31 +0200 (CEST) Received: from georg.localdomain (unknown [10.200.9.170]) by www.real-net.sk (Postfix) with ESMTPS id 6689B151A365 for ; Sun, 5 Oct 2008 20:23:31 +0200 (CEST) Received: from georg.localdomain (localhost [127.0.0.1]) by georg.localdomain (8.14.3/8.14.3) with ESMTP id m95INSbi074239 for ; Sun, 5 Oct 2008 20:23:29 +0200 (CEST) (envelope-from johnny64@swissjabber.org) Received: (from johnny64@localhost) by georg.localdomain (8.14.3/8.14.3/Submit) id m95INRJI074237 for freebsd-questions@freebsd.org; Sun, 5 Oct 2008 20:23:27 +0200 (CEST) (envelope-from johnny64@swissjabber.org) X-Authentication-Warning: georg.localdomain: johnny64 set sender to johnny64@swissjabber.org using -f Date: Sun, 5 Oct 2008 20:23:26 +0200 From: "(-K JohnNy" To: freebsd-questions@freebsd.org Message-ID: <20081005182326.GE1787@georg.localdomain> References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PuGuTyElPB9bOcsM" Content-Disposition: inline In-Reply-To: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: pf vs. RST attack question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2008 18:23:40 -0000 --PuGuTyElPB9bOcsM Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 05, 2008 at 12:53:03PM -0500, Scott Bennett wrote: > I'm getting a lot of messages like this: >=20 > Oct 4 14:30:00 hellas kernel: Limiting closed port RST response from 250= to 200 packets/sec >=20 > Is there some rule I can insert into /etc/pf.conf to reject these apparen= tly > invalid RST packets before they can bother TCP? At the same time, I do n= ot > want to reject legitimate RST packets. > Thanks in advance for any clues! Well, just to clarify a bit, the RST packets aren't the ones you are getting. You are apparently getting port-scanned. The message just says it won't reply by an RST packet to a SYN going to a closed port more than 200 times per second. I would suggest ignoring all SYN packets going to closed ports. Haven't yet used pf though, so I can't say how exactly to do this. --=20 (-K JohnNy alias Partial Derivative =E2=88=82 [home] http://johnny64.fixinko.sk/ [icq] 338328204 [abandoned] [jabber] JohnNy64@swissjabber.org [skype] JohnNy64-konik [abandoned] --PuGuTyElPB9bOcsM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkjpBh0ACgkQ11l9uIBrcFT16QCgsa9c97zNMyIiXcA6SIAg7UaC 0i0An03gEowgVK8EgmabIL6VHnFTc/YW =rn0m -----END PGP SIGNATURE----- --PuGuTyElPB9bOcsM--