Date: Sun, 5 Oct 2008 20:23:26 +0200 From: "(-K JohnNy" <johnny64@swissjabber.org> To: freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question Message-ID: <20081005182326.GE1787@georg.localdomain> In-Reply-To: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--PuGuTyElPB9bOcsM Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 05, 2008 at 12:53:03PM -0500, Scott Bennett wrote: > I'm getting a lot of messages like this: >=20 > Oct 4 14:30:00 hellas kernel: Limiting closed port RST response from 250= to 200 packets/sec >=20 > Is there some rule I can insert into /etc/pf.conf to reject these apparen= tly > invalid RST packets before they can bother TCP? At the same time, I do n= ot > want to reject legitimate RST packets. > Thanks in advance for any clues! Well, just to clarify a bit, the RST packets aren't the ones you are getting. You are apparently getting port-scanned. The message just says it won't reply by an RST packet to a SYN going to a closed port more than 200 times per second. I would suggest ignoring all SYN packets going to closed ports. Haven't yet used pf though, so I can't say how exactly to do this. --=20 (-K JohnNy alias Partial Derivative =E2=88=82 [home] http://johnny64.fixinko.sk/ [icq] 338328204 [abandoned] [jabber] JohnNy64@swissjabber.org [skype] JohnNy64-konik [abandoned] --PuGuTyElPB9bOcsM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkjpBh0ACgkQ11l9uIBrcFT16QCgsa9c97zNMyIiXcA6SIAg7UaC 0i0An03gEowgVK8EgmabIL6VHnFTc/YW =rn0m -----END PGP SIGNATURE----- --PuGuTyElPB9bOcsM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081005182326.GE1787>