Limiting closed port RST response

Ian Smith smithi at
Tue May 1 19:01:49 UTC 2012

In freebsd-questions Digest, Vol 413, Issue 4, Message: 7
On Tue, 01 May 2012 12:59:36 +0100 Arthur Chance <freebsd at> wrote:

 > Every once in a while the nightly periodic security checks tell me I've 
 > got a kernel message
 > Limiting closed port RST response from N to 200 packets/sec
 > where N > 200. The problem is that it doesn't say which port was 
 > involved. Is there any way to find that out so I can try tracking down 
 > the problem? AFAICT tcpdump doesn't have a way saying "closed ports on 
 > this machine" as a filter.

% sysctl -ad | grep vain
net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports
net.inet.udp.log_in_vain: Log all incoming UDP packets

With sysctl net.inet.tcp.log_in_vain=1 you get a message per instance, 
likely aggregated into 'last message repeated N times' at those rates. I 
add ipfw rules for heavy hitters on particular ports &/or from 
particular hosts to cut both the noise and (albeit slight) load.

If you'd rather not have these (hardly uncommon) messages spamming 
/var/log/messages, use something along these lines in /etc/syslog.conf:

*.notice;authpriv.none;kern.!=info;mail.crit;news.err;ntp.err;local0.none;ftp.none	/var/log/messages
kern.=info	/var/log/kerninfo.log

# touch /var/log/kerninfo.log
# service syslogd restart

cheers, Ian

More information about the freebsd-questions mailing list