From owner-freebsd-questions@FreeBSD.ORG  Mon Oct  6 00:36:03 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4947C1065689
	for <freebsd-questions@freebsd.org>;
	Mon,  6 Oct 2008 00:36:03 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from QMTA03.emeryville.ca.mail.comcast.net
	(qmta03.emeryville.ca.mail.comcast.net [76.96.30.32])
	by mx1.freebsd.org (Postfix) with ESMTP id 2F10B8FC08
	for <freebsd-questions@freebsd.org>;
	Mon,  6 Oct 2008 00:36:02 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from OMTA06.emeryville.ca.mail.comcast.net ([76.96.30.51])
	by QMTA03.emeryville.ca.mail.comcast.net with comcast
	id PAGW1a01616AWCUA3Cc2J2; Mon, 06 Oct 2008 00:36:02 +0000
Received: from koitsu.dyndns.org ([69.181.141.110])
	by OMTA06.emeryville.ca.mail.comcast.net with comcast
	id PCc11a00G2P6wsM8SCc1DF; Mon, 06 Oct 2008 00:36:02 +0000
X-Authority-Analysis: v=1.0 c=1 a=QycZ5dHgAAAA:8 a=6wztM-dcCJxRu2eOfYwA:9
	a=6FZrVQQAnjyfwNJk5zIA:7 a=dvyKvBKQdNiB-qX9YZtqciC2KMMA:4
	a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10
Received: by icarus.home.lan (Postfix, from userid 1000)
	id 4579EC9419; Sun,  5 Oct 2008 17:36:01 -0700 (PDT)
Date: Sun, 5 Oct 2008 17:36:01 -0700
From: Jeremy Chadwick <koitsu@FreeBSD.org>
To: Scott Bennett <bennett@cs.niu.edu>
Message-ID: <20081006003601.GA5733@icarus.home.lan>
References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200810051753.m95Hr3N5014872@mp.cs.niu.edu>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: freebsd-questions@freebsd.org
Subject: Re: pf vs. RST attack question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2008 00:36:03 -0000

On Sun, Oct 05, 2008 at 12:53:03PM -0500, Scott Bennett wrote:
>      I'm getting a lot of messages like this:
> 
> Oct  4 14:30:00 hellas kernel: Limiting closed port RST response from 250 to 200 packets/sec
> 
> Is there some rule I can insert into /etc/pf.conf to reject these apparently
> invalid RST packets before they can bother TCP?  At the same time, I do not
> want to reject legitimate RST packets.

They're outbound RST packets coming from your box as a result of
incoming packets someone is sending you (possibly an attack).

Proper firewalling rules should help defeat this, but there is no "magic
rule" you can place into pf.conf that will stop this.

If you want a "magic solution", see blackhole(4).

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |