pf vs. RST attack question
(-K JohnNy
johnny64 at swissjabber.org
Sun Oct 5 18:23:40 UTC 2008
On Sun, Oct 05, 2008 at 12:53:03PM -0500, Scott Bennett wrote:
> I'm getting a lot of messages like this:
>
> Oct 4 14:30:00 hellas kernel: Limiting closed port RST response from 250 to 200 packets/sec
>
> Is there some rule I can insert into /etc/pf.conf to reject these apparently
> invalid RST packets before they can bother TCP? At the same time, I do not
> want to reject legitimate RST packets.
> Thanks in advance for any clues!
Well, just to clarify a bit, the RST packets aren't the ones you are
getting. You are apparently getting port-scanned. The message just
says it won't reply by an RST packet to a SYN going to a closed port
more than 200 times per second.
I would suggest ignoring all SYN packets going to closed ports.
Haven't yet used pf though, so I can't say how exactly to do this.
--
(-K JohnNy alias Partial Derivative ∂
[home] http://johnny64.fixinko.sk/
[icq] 338328204 [abandoned]
[jabber] JohnNy64 at swissjabber.org
[skype] JohnNy64-konik [abandoned]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20081005/7e867431/attachment.pgp
More information about the freebsd-questions
mailing list