Limiting closed port RST response
Ian Smith
smithi at nimnet.asn.au
Tue May 1 19:01:49 UTC 2012
In freebsd-questions Digest, Vol 413, Issue 4, Message: 7
On Tue, 01 May 2012 12:59:36 +0100 Arthur Chance <freebsd at qeng-ho.org> wrote:
> Every once in a while the nightly periodic security checks tell me I've
> got a kernel message
>
> Limiting closed port RST response from N to 200 packets/sec
>
> where N > 200. The problem is that it doesn't say which port was
> involved. Is there any way to find that out so I can try tracking down
> the problem? AFAICT tcpdump doesn't have a way saying "closed ports on
> this machine" as a filter.
% sysctl -ad | grep vain
net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports
net.inet.udp.log_in_vain: Log all incoming UDP packets
With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance,
likely aggregated into 'last message repeated N times' at those rates. I
add ipfw rules for heavy hitters on particular ports &/or from
particular hosts to cut both the noise and (albeit slight) load.
If you'd rather not have these (hardly uncommon) messages spamming
/var/log/messages, use something along these lines in /etc/syslog.conf:
*.notice;authpriv.none;kern.!=info;mail.crit;news.err;ntp.err;local0.none;ftp.none /var/log/messages
kern.=info /var/log/kerninfo.log
# touch /var/log/kerninfo.log
# service syslogd restart
cheers, Ian
More information about the freebsd-questions
mailing list