oddball syslog entries ....

Arthur Chance freebsd at qeng-ho.org
Wed Oct 8 07:42:35 UTC 2014 

On 08/10/2014 04:01, William A. Mahaffey III wrote:
>
>
> Over the last couple of days I am seeing some odd (to me) entries in my
> messages file:
>
>
[irrelevance snipped]
> Oct  5 11:30:22 kabini1 kernel: Limiting closed port RST response from
> 276 to 200 packets/sec
> Oct  5 11:30:24 kabini1 kernel: Limiting closed port RST response from
> 239 to 200 packets/sec
> Oct  5 11:30:25 kabini1 kernel: Limiting closed port RST response from
> 280 to 200 packets/sec
> Oct  5 11:30:26 kabini1 kernel: Limiting closed port RST response from
> 319 to 200 packets/sec
> Oct  7 10:41:25 kabini1 kernel: Limiting closed port RST response from
> 276 to 200 packets/sec
> Oct  7 10:41:26 kabini1 kernel: Limiting closed port RST response from
> 239 to 200 packets/sec
> Oct  7 10:41:27 kabini1 kernel: Limiting closed port RST response from
> 280 to 200 packets/sec
> Oct  7 10:41:29 kabini1 kernel: Limiting closed port RST response from
> 319 to 200 packets/sec
> Oct  7 14:59:41 kabini1 kernel: Limiting closed port RST response from
> 253 to 200 packets/sec
> Oct  7 14:59:42 kabini1 kernel: Limiting closed port RST response from
> 233 to 200 packets/sec
> Oct  7 14:59:44 kabini1 kernel: Limiting closed port RST response from
> 265 to 200 packets/sec
> Oct  7 14:59:45 kabini1 kernel: Limiting closed port RST response from
> 295 to 200 packets/sec
> Oct  7 14:59:47 kabini1 kernel: Limiting closed port RST response from
> 324 to 200 packets/sec
> Oct  7 15:03:18 kabini1 kernel: Limiting closed port RST response from
> 253 to 200 packets/sec
> Oct  7 15:03:20 kabini1 kernel: Limiting closed port RST response from
> 233 to 200 packets/sec
> Oct  7 15:03:21 kabini1 kernel: Limiting closed port RST response from
> 265 to 200 packets/sec
> Oct  7 15:03:22 kabini1 kernel: Limiting closed port RST response from
> 295 to 200 packets/sec
> Oct  7 15:03:24 kabini1 kernel: Limiting closed port RST response from
> 324 to 200 packets/sec
>
> The stuff from Oct 2 is irrelevant, included for completeness/context.
> The lines about 'Limiting closed port ....' are puzzling to me. Where
> are they coming from ? Problem or chatter ? Enquiring minds wanna know
> ;-) .... TIA for any clues ....
>
>

I occasionally get this on a machine that sits squarely behind a locked 
down pfSense firewall. If you want to see what's causing it,

	sysctl net.inet.tcp.log_in_vain=1

(put into your /etc/sysctl.conf if you want it to last over reboots.) 
This will show you where the packet came from and which port on your 
machine was the target.

In my case it seemed to be a mix of DNS responses from the outside world 
that arrived too late and a local long running Firefox occasionally 
pounding on the indent port (113) for no good reason I ever discovered.

Nothing seems particularly dubious, unless the DNS responses were 
attempted spoofs, but my ISP is one of the better UK ones and I'd expect 
them to mitigate such attacks.

More information about the freebsd-questions mailing list