From owner-freebsd-questions@FreeBSD.ORG Wed Oct 8 14:06:26 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 48389B72 for ; Wed, 8 Oct 2014 14:06:26 +0000 (UTC) Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 08E57351 for ; Wed, 8 Oct 2014 14:06:25 +0000 (UTC) Received: by mail-vc0-f172.google.com with SMTP id lf12so6740656vcb.31 for ; Wed, 08 Oct 2014 07:06:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=t8QeKocXk4VSDVpW8XkvDYptHyQkSZ0MwCHtI1ELpAM=; b=lPyRTVkgsa66tFvbkKTpR9+zUs399AIz4fJcc5w4GqTU9KKOBF+xpdvsKQ5SQOA+nd QOFT11yxQ+jGhvjHtRodPsifICq2Ax/SkYxn7iGwSFJODtphfNoMPuDmXDg73nt8kWpt jvmbcEbjgKimrvEHD8FCWKJjmJEqm8i0kn5fvuD62q6jYJ3QmxV4N5PtAiUJ8GiZNaU/ QOY1z1I7zqs0Nly3J/Af1i8QDNuRMiJNyGlMwpCLxK0TttJIZElFiEki0NOxleNucFur pB/FxS1DbOFvfv3afYBk6ZSZ7YClhmS07gn6y9yMl1DV3fh8pZq3pTVuqVcUw3R5pvKk RedQ== MIME-Version: 1.0 X-Received: by 10.52.230.226 with SMTP id tb2mr8778478vdc.74.1412777184980; Wed, 08 Oct 2014 07:06:24 -0700 (PDT) Received: by 10.220.248.202 with HTTP; Wed, 8 Oct 2014 07:06:24 -0700 (PDT) In-Reply-To: <5434E626.80104@qeng-ho.org> References: <5434A8F7.1090507@hiwaay.net> <5434E626.80104@qeng-ho.org> Date: Wed, 8 Oct 2014 07:06:24 -0700 Message-ID: Subject: Re: oddball syslog entries .... From: Kurt Buff To: Arthur Chance Content-Type: text/plain; charset=UTF-8 Cc: "William A. Mahaffey III" , FreeBSD Questions !!!! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2014 14:06:26 -0000 On Wed, Oct 8, 2014 at 12:22 AM, Arthur Chance wrote: > On 08/10/2014 04:01, William A. Mahaffey III wrote: >> Over the last couple of days I am seeing some odd (to me) entries in my >> messages file: >> >> Oct 7 15:03:24 kabini1 kernel: Limiting closed port RST response from >> 324 to 200 packets/sec >> >> The stuff from Oct 2 is irrelevant, included for completeness/context. >> The lines about 'Limiting closed port ....' are puzzling to me. Where >> are they coming from ? Problem or chatter ? Enquiring minds wanna know >> ;-) .... TIA for any clues .... >> >> > > I occasionally get this on a machine that sits squarely behind a locked down > pfSense firewall. If you want to see what's causing it, > > sysctl net.inet.tcp.log_in_vain=1 > > (put into your /etc/sysctl.conf if you want it to last over reboots.) This > will show you where the packet came from and which port on your machine was > the target. > > In my case it seemed to be a mix of DNS responses from the outside world > that arrived too late and a local long running Firefox occasionally pounding > on the indent port (113) for no good reason I ever discovered. > > Nothing seems particularly dubious, unless the DNS responses were attempted > spoofs, but my ISP is one of the better UK ones and I'd expect them to > mitigate such attacks. Outstanding - much simpler than what I proposed, and I learned something new. Thanks for that. Kurt