Date: Wed, 2 May 2012 05:01:30 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Arthur Chance <freebsd@qeng-ho.org> Cc: freebsd-questions@freebsd.org Subject: Re: Limiting closed port RST response Message-ID: <20120502043016.J91148@sola.nimnet.asn.au> In-Reply-To: <20120501120038.45BB71065772@hub.freebsd.org> References: <20120501120038.45BB71065772@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 413, Issue 4, Message: 7 On Tue, 01 May 2012 12:59:36 +0100 Arthur Chance <freebsd@qeng-ho.org> wrote: > Every once in a while the nightly periodic security checks tell me I've > got a kernel message > > Limiting closed port RST response from N to 200 packets/sec > > where N > 200. The problem is that it doesn't say which port was > involved. Is there any way to find that out so I can try tracking down > the problem? AFAICT tcpdump doesn't have a way saying "closed ports on > this machine" as a filter. % sysctl -ad | grep vain net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports net.inet.udp.log_in_vain: Log all incoming UDP packets With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance, likely aggregated into 'last message repeated N times' at those rates. I add ipfw rules for heavy hitters on particular ports &/or from particular hosts to cut both the noise and (albeit slight) load. If you'd rather not have these (hardly uncommon) messages spamming /var/log/messages, use something along these lines in /etc/syslog.conf: *.notice;authpriv.none;kern.!=info;mail.crit;news.err;ntp.err;local0.none;ftp.none /var/log/messages kern.=info /var/log/kerninfo.log # touch /var/log/kerninfo.log # service syslogd restart cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120502043016.J91148>