pf vs. RST attack question
fbsd.questions at rachie.is-a-geek.net
Sun Oct 5 18:27:07 UTC 2008
On Sunday 05 October 2008 19:53:03 Scott Bennett wrote:
> I'm getting a lot of messages like this:
> Oct 4 14:30:00 hellas kernel: Limiting closed port RST response from 250
> to 200 packets/sec
> Is there some rule I can insert into /etc/pf.conf to reject these
> apparently invalid RST packets before they can bother TCP? At the same
> time, I do not want to reject legitimate RST packets.
> Thanks in advance for any clues!
Chances are pf is *creating* them. RST responses are used to signal that a
port is closed, which is what block-policy return does. Combined with default
block all, a simple portscan will generate this.
Switch to block-policy drop and set return for real denies, not default
Problem with today's modular software: they start with the modules
and never get to the software part.
More information about the freebsd-questions