From owner-freebsd-questions@FreeBSD.ORG Wed Oct 8 07:42:35 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 85CDB267 for ; Wed, 8 Oct 2014 07:42:35 +0000 (UTC) Received: from blue.qeng-ho.org (blue.qeng-ho.org [217.155.128.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 11E5E6D5 for ; Wed, 8 Oct 2014 07:42:34 +0000 (UTC) Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2]) by fileserver.home.qeng-ho.org (8.14.7/8.14.5) with ESMTP id s987MEAa082055; Wed, 8 Oct 2014 08:22:14 +0100 (BST) (envelope-from freebsd@qeng-ho.org) Message-ID: <5434E626.80104@qeng-ho.org> Date: Wed, 08 Oct 2014 08:22:14 +0100 From: Arthur Chance User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: "William A. Mahaffey III" , "FreeBSD Questions !!!!" Subject: Re: oddball syslog entries .... References: <5434A8F7.1090507@hiwaay.net> In-Reply-To: <5434A8F7.1090507@hiwaay.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2014 07:42:35 -0000 On 08/10/2014 04:01, William A. Mahaffey III wrote: > > > Over the last couple of days I am seeing some odd (to me) entries in my > messages file: > > [irrelevance snipped] > Oct 5 11:30:22 kabini1 kernel: Limiting closed port RST response from > 276 to 200 packets/sec > Oct 5 11:30:24 kabini1 kernel: Limiting closed port RST response from > 239 to 200 packets/sec > Oct 5 11:30:25 kabini1 kernel: Limiting closed port RST response from > 280 to 200 packets/sec > Oct 5 11:30:26 kabini1 kernel: Limiting closed port RST response from > 319 to 200 packets/sec > Oct 7 10:41:25 kabini1 kernel: Limiting closed port RST response from > 276 to 200 packets/sec > Oct 7 10:41:26 kabini1 kernel: Limiting closed port RST response from > 239 to 200 packets/sec > Oct 7 10:41:27 kabini1 kernel: Limiting closed port RST response from > 280 to 200 packets/sec > Oct 7 10:41:29 kabini1 kernel: Limiting closed port RST response from > 319 to 200 packets/sec > Oct 7 14:59:41 kabini1 kernel: Limiting closed port RST response from > 253 to 200 packets/sec > Oct 7 14:59:42 kabini1 kernel: Limiting closed port RST response from > 233 to 200 packets/sec > Oct 7 14:59:44 kabini1 kernel: Limiting closed port RST response from > 265 to 200 packets/sec > Oct 7 14:59:45 kabini1 kernel: Limiting closed port RST response from > 295 to 200 packets/sec > Oct 7 14:59:47 kabini1 kernel: Limiting closed port RST response from > 324 to 200 packets/sec > Oct 7 15:03:18 kabini1 kernel: Limiting closed port RST response from > 253 to 200 packets/sec > Oct 7 15:03:20 kabini1 kernel: Limiting closed port RST response from > 233 to 200 packets/sec > Oct 7 15:03:21 kabini1 kernel: Limiting closed port RST response from > 265 to 200 packets/sec > Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from > 295 to 200 packets/sec > Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from > 324 to 200 packets/sec > > The stuff from Oct 2 is irrelevant, included for completeness/context. > The lines about 'Limiting closed port ....' are puzzling to me. Where > are they coming from ? Problem or chatter ? Enquiring minds wanna know > ;-) .... TIA for any clues .... > > I occasionally get this on a machine that sits squarely behind a locked down pfSense firewall. If you want to see what's causing it, sysctl net.inet.tcp.log_in_vain=1 (put into your /etc/sysctl.conf if you want it to last over reboots.) This will show you where the packet came from and which port on your machine was the target. In my case it seemed to be a mix of DNS responses from the outside world that arrived too late and a local long running Firefox occasionally pounding on the indent port (113) for no good reason I ever discovered. Nothing seems particularly dubious, unless the DNS responses were attempted spoofs, but my ISP is one of the better UK ones and I'd expect them to mitigate such attacks.