From owner-freebsd-questions@FreeBSD.ORG  Tue May  1 19:01:49 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5F6E0106566B
	for <freebsd-questions@freebsd.org>;
	Tue,  1 May 2012 19:01:49 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
	by mx1.freebsd.org (Postfix) with ESMTP id BA9288FC24
	for <freebsd-questions@freebsd.org>;
	Tue,  1 May 2012 19:01:48 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q41J1UWD055767;
	Wed, 2 May 2012 05:01:30 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Wed, 2 May 2012 05:01:30 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Arthur Chance <freebsd@qeng-ho.org>
In-Reply-To: <20120501120038.45BB71065772@hub.freebsd.org>
Message-ID: <20120502043016.J91148@sola.nimnet.asn.au>
References: <20120501120038.45BB71065772@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-questions@freebsd.org
Subject: Re: Limiting closed port RST response
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 19:01:49 -0000

In freebsd-questions Digest, Vol 413, Issue 4, Message: 7
On Tue, 01 May 2012 12:59:36 +0100 Arthur Chance <freebsd@qeng-ho.org> wrote:

 > Every once in a while the nightly periodic security checks tell me I've 
 > got a kernel message
 > 
 > Limiting closed port RST response from N to 200 packets/sec
 > 
 > where N > 200. The problem is that it doesn't say which port was 
 > involved. Is there any way to find that out so I can try tracking down 
 > the problem? AFAICT tcpdump doesn't have a way saying "closed ports on 
 > this machine" as a filter.

% sysctl -ad | grep vain
net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports
net.inet.udp.log_in_vain: Log all incoming UDP packets

With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance, 
likely aggregated into 'last message repeated N times' at those rates. I 
add ipfw rules for heavy hitters on particular ports &/or from 
particular hosts to cut both the noise and (albeit slight) load.

If you'd rather not have these (hardly uncommon) messages spamming 
/var/log/messages, use something along these lines in /etc/syslog.conf:

*.notice;authpriv.none;kern.!=info;mail.crit;news.err;ntp.err;local0.none;ftp.none	/var/log/messages
kern.=info	/var/log/kerninfo.log

# touch /var/log/kerninfo.log
# service syslogd restart

cheers, Ian