Date: Sun, 1 Sep 2024 23:24:13 +0100 From: Pete French <pete@twisted.org.uk> To: Chris <bsd-lists@bsdforge.com> Cc: FreeBSD Stable Mailing List <freebsd-stable@freebsd.org> Subject: Re: How to diagnose "Limiting closed port RST response from 213 to 205 packets/sec" ? Message-ID: <2fb2df3c-34ee-407d-993f-e2a5e97facad@twisted.org.uk> In-Reply-To: <97fa5fe2037829e34e51d7132e627c65@bsdforge.com> References: <27a993d5-c456-4add-8893-3e86af747ab1@twisted.org.uk> <97fa5fe2037829e34e51d7132e627c65@bsdforge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/09/2024 09:32, Chris wrote: > times those messages show up in messages. Crank up verbosity in logs. > Lastly; you might > be able to better ferret some additional clues in sysctl.conf(5) by > tweaking the > net.inet.tcp.log_in_vain setting; from tcp(4): > > log_in_vain > Log any connection attempts to ports where there > is no socket accepting connections. The value > of 1 limits the logging to SYN (connection > establishment) packets only. A value of 2 results > in any TCP packets to closed ports being logged. > Any value not listed above disables the logging > (default is 0, i.e., the logging is disabled). Ahhhhh.... thankyou for this! This is exactly what I needed. And it turns out that what I see is a lot of this... Sep 1 22:15:05.982 turpentine kernel: TCP: [127.0.0.1]:24224 to [127.0.0.1]:36784 tcpflags 0x12<SYN,ACK>; tcp_input_with_port: Connection attempt to closed port Sep 1 22:15:06.393 turpentine kernel: TCP: [127.0.0.1]:24224 to [127.0.0.1]:54024 tcpflags 0x12<SYN,ACK>; tcp_input_with_port: Connection attempt to closed port Sep 1 22:15:06.595 turpentine kernel: TCP: [127.0.0.1]:24224 to [127.0.0.1]:30857 tcpflags 0x12<SYN,ACK>; tcp_input_with_port: Connection attempt to closed port Sep 1 22:15:07.198 turpentine kernel: TCP: [127.0.0.1]:24224 to [127.0.0.1]:34060 tcpflags 0x12<SYN,ACK>; tcp_input_with_port: Connection attempt to closed port Sep 1 22:15:07.650 turpentine kernel: TCP: [127.0.0.1]:24224 to [127.0.0.1]:13537 tcpflags 0x12<SYN,ACK>; tcp_input_with_port: Connection attempt to closed port Sep 1 22:15:07.851 turpentine kernel: TCP: [127.0.0.1]:24224 to [127.0.0.1]:31788 tcpflags 0x12<SYN,ACK>; tcp_input_with_port: Connection attempt to closed port Sep 1 22:15:09.506 turpentine kernel: TCP: [127.0.0.1]:24224 to [127.0.0.1]:53517 tcpflags 0x12<SYN,ACK>; tcp_input_with_port: Connection attempt to closed port Which is the SYN/ACK for a connection to 24224 - the fluentd on the local host. I have a good idea whats causing this too. My libraries will, if they find a hostname resolves to multiple IP addresses, try to connect to all of them, preferring IPv6, and uses the first one which gets accepted, and closes the others. A connection to 'localhost' will resolve to ::1 and 127.0.0.1, and I bet ::1 works first, so my side closes 127.0.0.1, which the explains the above. So, give that, these are therefore happening all the time. Which implies that the fact the only get rate limited at certain points, corresponding to connection difficulties, indicates its to do with load on the machines. Someone is hammering mt webserver at those times. I can go find out who that is now I think. Thanks to all who replied BTW, this has been really useful! I did also wonder if it was a port scan - but all of these machines are runnign pf and only alowing 443 in, as well as being behind a firewall+nat at the edge that only forwards 443, so nothing should be able to scan them. -pete.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2fb2df3c-34ee-407d-993f-e2a5e97facad>