Date: Wed, 8 Oct 2014 07:06:24 -0700 From: Kurt Buff <kurt.buff@gmail.com> To: Arthur Chance <freebsd@qeng-ho.org> Cc: "William A. Mahaffey III" <wam@hiwaay.net>, FreeBSD Questions !!!! <freebsd-questions@freebsd.org> Subject: Re: oddball syslog entries .... Message-ID: <CADy1Ce44xJ3e0D7hxMWE_sO71JSEDcuy3QqB8DD7aEvXM5bytA@mail.gmail.com> In-Reply-To: <5434E626.80104@qeng-ho.org> References: <5434A8F7.1090507@hiwaay.net> <5434E626.80104@qeng-ho.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 8, 2014 at 12:22 AM, Arthur Chance <freebsd@qeng-ho.org> wrote: > On 08/10/2014 04:01, William A. Mahaffey III wrote: >> Over the last couple of days I am seeing some odd (to me) entries in my >> messages file: >> >> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from >> 324 to 200 packets/sec >> >> The stuff from Oct 2 is irrelevant, included for completeness/context. >> The lines about 'Limiting closed port ....' are puzzling to me. Where >> are they coming from ? Problem or chatter ? Enquiring minds wanna know >> ;-) .... TIA for any clues .... >> >> > > I occasionally get this on a machine that sits squarely behind a locked down > pfSense firewall. If you want to see what's causing it, > > sysctl net.inet.tcp.log_in_vain=1 > > (put into your /etc/sysctl.conf if you want it to last over reboots.) This > will show you where the packet came from and which port on your machine was > the target. > > In my case it seemed to be a mix of DNS responses from the outside world > that arrived too late and a local long running Firefox occasionally pounding > on the indent port (113) for no good reason I ever discovered. > > Nothing seems particularly dubious, unless the DNS responses were attempted > spoofs, but my ISP is one of the better UK ones and I'd expect them to > mitigate such attacks. Outstanding - much simpler than what I proposed, and I learned something new. Thanks for that. Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce44xJ3e0D7hxMWE_sO71JSEDcuy3QqB8DD7aEvXM5bytA>