From owner-freebsd-questions@FreeBSD.ORG  Sun Oct  5 18:27:07 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D0E14106568D
	for <freebsd-questions@freebsd.org>;
	Sun,  5 Oct 2008 18:27:07 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27])
	by mx1.freebsd.org (Postfix) with ESMTP id 9BA4C8FC1E
	for <freebsd-questions@freebsd.org>;
	Sun,  5 Oct 2008 18:27:07 +0000 (UTC)
	(envelope-from fbsd.questions@rachie.is-a-geek.net)
Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101])
	by mail.rachie.is-a-geek.net (Postfix) with ESMTP id D3331AFBC04;
	Sun,  5 Oct 2008 10:27:06 -0800 (AKDT)
From: Mel <fbsd.questions@rachie.is-a-geek.net>
To: freebsd-questions@freebsd.org
Date: Sun, 5 Oct 2008 20:27:05 +0200
User-Agent: KMail/1.9.7
References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu>
In-Reply-To: <200810051753.m95Hr3N5014872@mp.cs.niu.edu>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-6"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200810052027.05712.fbsd.questions@rachie.is-a-geek.net>
Cc: Scott Bennett <bennett@cs.niu.edu>
Subject: Re: pf vs. RST attack question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Oct 2008 18:27:07 -0000

On Sunday 05 October 2008 19:53:03 Scott Bennett wrote:
>      I'm getting a lot of messages like this:
>
> Oct  4 14:30:00 hellas kernel: Limiting closed port RST response from 250
> to 200 packets/sec
>
> Is there some rule I can insert into /etc/pf.conf to reject these
> apparently invalid RST packets before they can bother TCP?  At the same
> time, I do not want to reject legitimate RST packets.
>      Thanks in advance for any clues!

Chances are pf is *creating* them. RST responses are used to signal that a 
port is closed, which is what block-policy return does. Combined with default 
block all, a simple portscan will generate this.

Switch to block-policy drop and set return for real denies, not default 
denies.

-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.