Date: Sun, 5 Oct 2008 17:36:01 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Scott Bennett <bennett@cs.niu.edu> Cc: freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question Message-ID: <20081006003601.GA5733@icarus.home.lan> In-Reply-To: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 05, 2008 at 12:53:03PM -0500, Scott Bennett wrote: > I'm getting a lot of messages like this: > > Oct 4 14:30:00 hellas kernel: Limiting closed port RST response from 250 to 200 packets/sec > > Is there some rule I can insert into /etc/pf.conf to reject these apparently > invalid RST packets before they can bother TCP? At the same time, I do not > want to reject legitimate RST packets. They're outbound RST packets coming from your box as a result of incoming packets someone is sending you (possibly an attack). Proper firewalling rules should help defeat this, but there is no "magic rule" you can place into pf.conf that will stop this. If you want a "magic solution", see blackhole(4). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081006003601.GA5733>