Date: Mon, 06 Oct 2008 08:19:09 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Jeremy Chadwick <koitsu@freebsd.org> Cc: Scott Bennett <bennett@cs.niu.edu>, freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question Message-ID: <48E9BBED.7090607@infracaninophile.co.uk> In-Reply-To: <20081006003601.GA5733@icarus.home.lan> References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig07472118FAC2753BEB9B41EB
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Jeremy Chadwick wrote:
> On Sun, Oct 05, 2008 at 12:53:03PM -0500, Scott Bennett wrote:
>> I'm getting a lot of messages like this:
>>
>> Oct 4 14:30:00 hellas kernel: Limiting closed port RST response from =
250 to 200 packets/sec
>>
>> Is there some rule I can insert into /etc/pf.conf to reject these appa=
rently
>> invalid RST packets before they can bother TCP? At the same time, I d=
o not
>> want to reject legitimate RST packets.
>=20
> They're outbound RST packets coming from your box as a result of
> incoming packets someone is sending you (possibly an attack).
>=20
> Proper firewalling rules should help defeat this, but there is no "magi=
c
> rule" you can place into pf.conf that will stop this.
>=20
> If you want a "magic solution", see blackhole(4).
>=20
block drop all
looks fairly magical to me. Stick that at the top of your ruleset as
your default policy, add more specific rules beneath it to allow
the traffic you do want to pass, and Robert is your Mother's Brother.
No more floods of RST packets.
(Actually, I'd recommend always adding a 'log' clause to any rules that
drop packets like so: 'block log drop all'. Makes running 'tcpdump -i pf=
log0'
an invaluable debugging aid.)
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig07472118FAC2753BEB9B41EB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkjpu/MACgkQ8Mjk52CukIzcNgCeM2X9D3bVSkln+7GC3/4q+VYJ
bpEAoJUdXoSjGuv0LIeneygQrnGDy1+b
=Oh8l
-----END PGP SIGNATURE-----
--------------enig07472118FAC2753BEB9B41EB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48E9BBED.7090607>