From owner-freebsd-questions@FreeBSD.ORG Mon Oct 6 07:19:36 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 739AF10656A3; Mon, 6 Oct 2008 07:19:36 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id EB1388FC1E; Mon, 6 Oct 2008 07:19:35 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id m967JFqk050525; Mon, 6 Oct 2008 08:19:16 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk m967JFqk050525 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1223277557; bh=qtLbMEj3nDQjgC 0c8nwDzpNDirXd/AkpS1UA6of/u2M=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<48E9BBED.7090607@infracaninophile.co.uk>|Date:=20Mon,=2 006=20Oct=202008=2008:19:09=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.17=20(X11/20080929)|MIME-Version:=201 .0|To:=20Jeremy=20Chadwick=20|CC:=20Scott=20Ben nett=20,=20freebsd-questions@freebsd.org|Subjec t:=20Re:=20pf=20vs.=20RST=20attack=20question|References:=20<200810 051753.m95Hr3N5014872@mp.cs.niu.edu>=20<20081006003601.GA5733@icaru s.home.lan>|In-Reply-To:=20<20081006003601.GA5733@icarus.home.lan>| X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed=3B=20 micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signatur e"=3B=0D=0A=20boundary=3D"------------enig07472118FAC2753BEB9B41EB" ; b=vYKyaVMnlfI0xSPvDum2mXQ+iGI7uK4e3fJC0TZxos4W1u9yQ71llNV4oXqN2Dd ig8HusT8136jEAxBnjuqA5b2O1iWiPXJywtmHZx0eWDR4pudMzP/+C33O1vGJytHXcc AzdQgB0XfmDYbQEJ3PCUnFCrUb33/P0gbizjoj32s= Message-ID: <48E9BBED.7090607@infracaninophile.co.uk> Date: Mon, 06 Oct 2008 08:19:09 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.17 (X11/20080929) MIME-Version: 1.0 To: Jeremy Chadwick References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> In-Reply-To: <20081006003601.GA5733@icarus.home.lan> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig07472118FAC2753BEB9B41EB" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Mon, 06 Oct 2008 08:19:17 +0100 (BST) X-Virus-Scanned: ClamAV 0.94/8377/Mon Oct 6 02:36:23 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: Scott Bennett , freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2008 07:19:36 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig07472118FAC2753BEB9B41EB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Jeremy Chadwick wrote: > On Sun, Oct 05, 2008 at 12:53:03PM -0500, Scott Bennett wrote: >> I'm getting a lot of messages like this: >> >> Oct 4 14:30:00 hellas kernel: Limiting closed port RST response from = 250 to 200 packets/sec >> >> Is there some rule I can insert into /etc/pf.conf to reject these appa= rently >> invalid RST packets before they can bother TCP? At the same time, I d= o not >> want to reject legitimate RST packets. >=20 > They're outbound RST packets coming from your box as a result of > incoming packets someone is sending you (possibly an attack). >=20 > Proper firewalling rules should help defeat this, but there is no "magi= c > rule" you can place into pf.conf that will stop this. >=20 > If you want a "magic solution", see blackhole(4). >=20 block drop all looks fairly magical to me. Stick that at the top of your ruleset as your default policy, add more specific rules beneath it to allow the traffic you do want to pass, and Robert is your Mother's Brother. No more floods of RST packets. (Actually, I'd recommend always adding a 'log' clause to any rules that drop packets like so: 'block log drop all'. Makes running 'tcpdump -i pf= log0' an invaluable debugging aid.) Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig07472118FAC2753BEB9B41EB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjpu/MACgkQ8Mjk52CukIzcNgCeM2X9D3bVSkln+7GC3/4q+VYJ bpEAoJUdXoSjGuv0LIeneygQrnGDy1+b =Oh8l -----END PGP SIGNATURE----- --------------enig07472118FAC2753BEB9B41EB--