Date: Sun, 5 Oct 2008 20:27:05 +0200 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Cc: Scott Bennett <bennett@cs.niu.edu> Subject: Re: pf vs. RST attack question Message-ID: <200810052027.05712.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 05 October 2008 19:53:03 Scott Bennett wrote:
> I'm getting a lot of messages like this:
>
> Oct 4 14:30:00 hellas kernel: Limiting closed port RST response from 250
> to 200 packets/sec
>
> Is there some rule I can insert into /etc/pf.conf to reject these
> apparently invalid RST packets before they can bother TCP? At the same
> time, I do not want to reject legitimate RST packets.
> Thanks in advance for any clues!
Chances are pf is *creating* them. RST responses are used to signal that a
port is closed, which is what block-policy return does. Combined with default
block all, a simple portscan will generate this.
Switch to block-policy drop and set return for real denies, not default
denies.
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810052027.05712.fbsd.questions>