From owner-freebsd-questions@FreeBSD.ORG Wed Oct 8 13:39:19 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE1FCF0E for ; Wed, 8 Oct 2014 13:39:19 +0000 (UTC) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 89E1EFB2 for ; Wed, 8 Oct 2014 13:39:19 +0000 (UTC) Received: from kabini1.local (rbn1-216-180-19-88.adsl.hiwaay.net [216.180.19.88]) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id s98DdH7L022926 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 8 Oct 2014 08:39:18 -0500 Message-ID: <54353FFC.3050309@hiwaay.net> Date: Wed, 08 Oct 2014 08:45:32 -0500 From: "William A. Mahaffey III" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: "FreeBSD Questions !!!!" Subject: Re: oddball syslog entries .... References: <5434A8F7.1090507@hiwaay.net> <5434E626.80104@qeng-ho.org> In-Reply-To: <5434E626.80104@qeng-ho.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2014 13:39:19 -0000 On 10/08/14 02:22, Arthur Chance wrote: > On 08/10/2014 04:01, William A. Mahaffey III wrote: >> >> >> Over the last couple of days I am seeing some odd (to me) entries in my >> messages file: >> >> > [irrelevance snipped] >> Oct 5 11:30:22 kabini1 kernel: Limiting closed port RST response from >> 276 to 200 packets/sec >> Oct 5 11:30:24 kabini1 kernel: Limiting closed port RST response from >> 239 to 200 packets/sec >> Oct 5 11:30:25 kabini1 kernel: Limiting closed port RST response from >> 280 to 200 packets/sec >> Oct 5 11:30:26 kabini1 kernel: Limiting closed port RST response from >> 319 to 200 packets/sec >> Oct 7 10:41:25 kabini1 kernel: Limiting closed port RST response from >> 276 to 200 packets/sec >> Oct 7 10:41:26 kabini1 kernel: Limiting closed port RST response from >> 239 to 200 packets/sec >> Oct 7 10:41:27 kabini1 kernel: Limiting closed port RST response from >> 280 to 200 packets/sec >> Oct 7 10:41:29 kabini1 kernel: Limiting closed port RST response from >> 319 to 200 packets/sec >> Oct 7 14:59:41 kabini1 kernel: Limiting closed port RST response from >> 253 to 200 packets/sec >> Oct 7 14:59:42 kabini1 kernel: Limiting closed port RST response from >> 233 to 200 packets/sec >> Oct 7 14:59:44 kabini1 kernel: Limiting closed port RST response from >> 265 to 200 packets/sec >> Oct 7 14:59:45 kabini1 kernel: Limiting closed port RST response from >> 295 to 200 packets/sec >> Oct 7 14:59:47 kabini1 kernel: Limiting closed port RST response from >> 324 to 200 packets/sec >> Oct 7 15:03:18 kabini1 kernel: Limiting closed port RST response from >> 253 to 200 packets/sec >> Oct 7 15:03:20 kabini1 kernel: Limiting closed port RST response from >> 233 to 200 packets/sec >> Oct 7 15:03:21 kabini1 kernel: Limiting closed port RST response from >> 265 to 200 packets/sec >> Oct 7 15:03:22 kabini1 kernel: Limiting closed port RST response from >> 295 to 200 packets/sec >> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from >> 324 to 200 packets/sec >> >> The stuff from Oct 2 is irrelevant, included for completeness/context. >> The lines about 'Limiting closed port ....' are puzzling to me. Where >> are they coming from ? Problem or chatter ? Enquiring minds wanna know >> ;-) .... TIA for any clues .... >> >> > > I occasionally get this on a machine that sits squarely behind a > locked down pfSense firewall. If you want to see what's causing it, > > sysctl net.inet.tcp.log_in_vain=1 > > (put into your /etc/sysctl.conf if you want it to last over reboots.) > This will show you where the packet came from and which port on your > machine was the target. > > In my case it seemed to be a mix of DNS responses from the outside > world that arrived too late and a local long running Firefox > occasionally pounding on the indent port (113) for no good reason I > ever discovered. > > Nothing seems particularly dubious, unless the DNS responses were > attempted spoofs, but my ISP is one of the better UK ones and I'd > expect them to mitigate such attacks. > > Thanks, that seems quite simple, I'm on it now :-) .... -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.