Re: Log spam: Limiting * response from 1 to 200 packets/sec
On Thu., 22 Dec. 2016 at 12:45 am, Gleb Smirnoff wrote: > That was my failure and already fixed. > Thanks for the fix! For those of us playing along at home, I believe the fix can in r310032. https://svnweb.freebsd.org/base?view=revision&revision=310032 Regards, Ben ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On Wed, Dec 21, 2016 at 11:03:14AM +0100, Eivind Nicolay Evensen wrote: E> E> On Tue, Dec 13, 2016 at 09:48:59AM -0600, Eric van Gyzen wrote: E> > On 12/13/2016 09:24, Michael Butler wrote: E> > > Any hints as to why all of my -current equipment is complaining like below. Is E> > > there a sysctl to moderate/turn this off? E> > > E> > > Dec 13 10:00:01 archive kernel: Limiting icmp unreach response from 1 to 200 E> > > packets/sec E> > > Dec 13 10:00:21 archive last message repeated 13 times E> > > Dec 13 10:02:21 archive last message repeated 18 times E> > > Dec 13 10:06:21 archive last message repeated 36 times E> > > Dec 13 10:07:11 archive kernel: Limiting icmp ping response from 1 to 200 E> > > packets/sec E> E> E> I repeated that on the nearest 10.0 here, because this looked strange, and E> indeed I see: E> Limiting icmp ping response from 294 to 200 packets/sec This is what should happen. E> However, the quoted line above that says it is limiting from 1 to 200 E> doesn't sound much of a limit? That was my failure and already fixed. -- Totus tuus, Glebius. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On Tue, Dec 13, 2016 at 09:48:59AM -0600, Eric van Gyzen wrote: > On 12/13/2016 09:24, Michael Butler wrote: > > Any hints as to why all of my -current equipment is complaining like below. > > Is > > there a sysctl to moderate/turn this off? > > > > Dec 13 10:00:01 archive kernel: Limiting icmp unreach response from 1 to 200 > > packets/sec > > Dec 13 10:00:21 archive last message repeated 13 times > > Dec 13 10:02:21 archive last message repeated 18 times > > Dec 13 10:06:21 archive last message repeated 36 times > > Dec 13 10:07:11 archive kernel: Limiting icmp ping response from 1 to 200 > > packets/sec I repeated that on the nearest 10.0 here, because this looked strange, and indeed I see: Limiting icmp ping response from 294 to 200 packets/sec However, the quoted line above that says it is limiting from 1 to 200 doesn't sound much of a limit? -- Eivind N. Evensen ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On Tue, Dec 13, 2016 at 11:07:19AM -0500, Michael Butler wrote: M> >> Any hints as to why all of my -current equipment is complaining like below. Is M> >> there a sysctl to moderate/turn this off? M> >> M> >> Dec 13 10:00:01 archive kernel: Limiting icmp unreach response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:00:21 archive last message repeated 13 times M> >> Dec 13 10:02:21 archive last message repeated 18 times M> >> Dec 13 10:06:21 archive last message repeated 36 times M> >> Dec 13 10:07:11 archive kernel: Limiting icmp ping response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:07:55 archive kernel: Limiting icmp unreach response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:08:21 archive last message repeated 17 times M> >> Dec 13 10:08:37 archive kernel: Limiting closed port RST response from 4 to 200 M> >> packets/sec M> >> Dec 13 10:09:55 archive kernel: Limiting icmp unreach response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:10:21 archive last message repeated 17 times M> >> Dec 13 10:12:21 archive last message repeated 18 times M> >> Dec 13 10:12:28 archive kernel: Limiting icmp ping response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:13:55 archive kernel: Limiting icmp unreach response from 1 to 200 M> >> packets/sec M> > M> > What Subversion revision are you running? Did this start happening after a M> > recent update? I ask because r309745 was committed a few days ago and might M> > have changed the behavior. M> M> That's consistent with my observations. I was in Australia for a couple M> of weeks and have just updated from SVN r309056 to r309852, The r310032 should fix it. I'm sorry for the problem. -- Totus tuus, Glebius. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On 2016-12-13 10:24, Michael Butler wrote: > Any hints as to why all of my -current equipment is complaining like > below. Is there a sysctl to moderate/turn this off? > > Dec 13 10:00:01 archive kernel: Limiting icmp unreach response from 1 to > 200 packets/sec > Dec 13 10:00:21 archive last message repeated 13 times > Dec 13 10:02:21 archive last message repeated 18 times > Dec 13 10:06:21 archive last message repeated 36 times > Dec 13 10:07:11 archive kernel: Limiting icmp ping response from 1 to > 200 packets/sec > Dec 13 10:07:55 archive kernel: Limiting icmp unreach response from 1 to > 200 packets/sec > Dec 13 10:08:21 archive last message repeated 17 times > Dec 13 10:08:37 archive kernel: Limiting closed port RST response from 4 > to 200 packets/sec > Dec 13 10:09:55 archive kernel: Limiting icmp unreach response from 1 to > 200 packets/sec > Dec 13 10:10:21 archive last message repeated 17 times > Dec 13 10:12:21 archive last message repeated 18 times > Dec 13 10:12:28 archive kernel: Limiting icmp ping response from 1 to > 200 packets/sec > Dec 13 10:13:55 archive kernel: Limiting icmp unreach response from 1 to > 200 packets/sec > Dec 13 10:14:21 archive last message repeated 17 times > Dec 13 10:16:21 archive last message repeated 18 times > > Michael > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" Yeah, this is a bug. When working as intended, the message would read: kernel: Limiting closed port RST response from 201 to 200 packets/sec The first value would be higher than the 2nd value (net.inet.icmp.icmplim). It should only alert if it is actually limiting the response rate. You can mute it by setting: net.inet.icmp.icmplim_output=0 -- Allan Jude ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On Tue, Dec 13, 2016 at 11:19:18AM -0500, Michael Butler wrote: > On 12/13/16 11:15, Gary Palmer wrote: > > On Tue, Dec 13, 2016 at 10:43:27AM -0500, Michael Butler wrote: > >> On 12/13/16 10:29, Dimitry Andric wrote: > >> > >>> Somebody is most likely port scanning your machines. I see this all the > >>> time on boxes connected to the internet. > >> > >> As are mine. I wouldn't mind so much if the message contained sufficient > >> useful information that could be acted on, e.g. originating IP address > >> and, when appropriate, destination port. > > > > sysctl net.inet.tcp.log_in_vain=1 > > sysctl net.inet.udp.log_in_vain=1 > > > > be prepared for a lot of logs if you are being port scanned > > Or, apparently, have a windoze box on that segment :-( Windows client boxes at least do a lot of broadcasts, but in my experience they don't trigger log_in_vain (maybe they will if you have promisc network interfaces enabled). Not sure about servers as I don't have any at home. Gary ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On Tue, Dec 13, 2016 at 11:07:19AM -0500, Michael Butler wrote: M> On 12/13/16 10:48, Eric van Gyzen wrote: M> > On 12/13/2016 09:24, Michael Butler wrote: M> >> Any hints as to why all of my -current equipment is complaining like below. Is M> >> there a sysctl to moderate/turn this off? M> >> M> >> Dec 13 10:00:01 archive kernel: Limiting icmp unreach response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:00:21 archive last message repeated 13 times M> >> Dec 13 10:02:21 archive last message repeated 18 times M> >> Dec 13 10:06:21 archive last message repeated 36 times M> >> Dec 13 10:07:11 archive kernel: Limiting icmp ping response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:07:55 archive kernel: Limiting icmp unreach response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:08:21 archive last message repeated 17 times M> >> Dec 13 10:08:37 archive kernel: Limiting closed port RST response from 4 to 200 M> >> packets/sec M> >> Dec 13 10:09:55 archive kernel: Limiting icmp unreach response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:10:21 archive last message repeated 17 times M> >> Dec 13 10:12:21 archive last message repeated 18 times M> >> Dec 13 10:12:28 archive kernel: Limiting icmp ping response from 1 to 200 M> >> packets/sec M> >> Dec 13 10:13:55 archive kernel: Limiting icmp unreach response from 1 to 200 M> >> packets/sec M> > M> > What Subversion revision are you running? Did this start happening after a M> > recent update? I ask because r309745 was committed a few days ago and might M> > have changed the behavior. M> M> That's consistent with my observations. I was in Australia for a couple M> of weeks and have just updated from SVN r309056 to r309852, Yes, this is our fail. I will take a look today. -- Totus tuus, Glebius. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On 12/13/16 11:15, Gary Palmer wrote: On Tue, Dec 13, 2016 at 10:43:27AM -0500, Michael Butler wrote: On 12/13/16 10:29, Dimitry Andric wrote: Somebody is most likely port scanning your machines. I see this all the time on boxes connected to the internet. As are mine. I wouldn't mind so much if the message contained sufficient useful information that could be acted on, e.g. originating IP address and, when appropriate, destination port. sysctl net.inet.tcp.log_in_vain=1 sysctl net.inet.udp.log_in_vain=1 be prepared for a lot of logs if you are being port scanned Or, apparently, have a windoze box on that segment :-( Michael ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On Tue, Dec 13, 2016 at 10:43:27AM -0500, Michael Butler wrote: > On 12/13/16 10:29, Dimitry Andric wrote: > > > Somebody is most likely port scanning your machines. I see this all the > > time on boxes connected to the internet. > > As are mine. I wouldn't mind so much if the message contained sufficient > useful information that could be acted on, e.g. originating IP address > and, when appropriate, destination port. sysctl net.inet.tcp.log_in_vain=1 sysctl net.inet.udp.log_in_vain=1 be prepared for a lot of logs if you are being port scanned Regards, Gary ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On 12/13/16 10:48, Eric van Gyzen wrote: On 12/13/2016 09:24, Michael Butler wrote: Any hints as to why all of my -current equipment is complaining like below. Is there a sysctl to moderate/turn this off? Dec 13 10:00:01 archive kernel: Limiting icmp unreach response from 1 to 200 packets/sec Dec 13 10:00:21 archive last message repeated 13 times Dec 13 10:02:21 archive last message repeated 18 times Dec 13 10:06:21 archive last message repeated 36 times Dec 13 10:07:11 archive kernel: Limiting icmp ping response from 1 to 200 packets/sec Dec 13 10:07:55 archive kernel: Limiting icmp unreach response from 1 to 200 packets/sec Dec 13 10:08:21 archive last message repeated 17 times Dec 13 10:08:37 archive kernel: Limiting closed port RST response from 4 to 200 packets/sec Dec 13 10:09:55 archive kernel: Limiting icmp unreach response from 1 to 200 packets/sec Dec 13 10:10:21 archive last message repeated 17 times Dec 13 10:12:21 archive last message repeated 18 times Dec 13 10:12:28 archive kernel: Limiting icmp ping response from 1 to 200 packets/sec Dec 13 10:13:55 archive kernel: Limiting icmp unreach response from 1 to 200 packets/sec What Subversion revision are you running? Did this start happening after a recent update? I ask because r309745 was committed a few days ago and might have changed the behavior. That's consistent with my observations. I was in Australia for a couple of weeks and have just updated from SVN r309056 to r309852, Michael ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On 2016/12/13 15:43, Michael Butler wrote: > On 12/13/16 10:29, Dimitry Andric wrote: > >> Somebody is most likely port scanning your machines. I see this all the >> time on boxes connected to the internet. > > As are mine. I wouldn't mind so much if the message contained sufficient > useful information that could be acted on, e.g. originating IP address > and, when appropriate, destination port. If you want that sort of information, you can use pf(4) with a default rule to log and reject connections to your system. (Plus rules to permit traffic to legitimate services, obviously.) You can also just 'drop' the denied connections rather than the default response of sending back an ICMP unreachable or reset response, which will save you sending out a lot of itty-bitty packets that the port scanners wouldn't pay attention to anyhow. Cheers, Matthew signature.asc Description: OpenPGP digital signature
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On 12/13/2016 09:24, Michael Butler wrote: > Any hints as to why all of my -current equipment is complaining like below. Is > there a sysctl to moderate/turn this off? > > Dec 13 10:00:01 archive kernel: Limiting icmp unreach response from 1 to 200 > packets/sec > Dec 13 10:00:21 archive last message repeated 13 times > Dec 13 10:02:21 archive last message repeated 18 times > Dec 13 10:06:21 archive last message repeated 36 times > Dec 13 10:07:11 archive kernel: Limiting icmp ping response from 1 to 200 > packets/sec > Dec 13 10:07:55 archive kernel: Limiting icmp unreach response from 1 to 200 > packets/sec > Dec 13 10:08:21 archive last message repeated 17 times > Dec 13 10:08:37 archive kernel: Limiting closed port RST response from 4 to > 200 > packets/sec > Dec 13 10:09:55 archive kernel: Limiting icmp unreach response from 1 to 200 > packets/sec > Dec 13 10:10:21 archive last message repeated 17 times > Dec 13 10:12:21 archive last message repeated 18 times > Dec 13 10:12:28 archive kernel: Limiting icmp ping response from 1 to 200 > packets/sec > Dec 13 10:13:55 archive kernel: Limiting icmp unreach response from 1 to 200 > packets/sec What Subversion revision are you running? Did this start happening after a recent update? I ask because r309745 was committed a few days ago and might have changed the behavior. Eric ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On 12/13/16 10:29, Dimitry Andric wrote: Somebody is most likely port scanning your machines. I see this all the time on boxes connected to the internet. As are mine. I wouldn't mind so much if the message contained sufficient useful information that could be acted on, e.g. originating IP address and, when appropriate, destination port. sysctl net.inet.icmp.icmplim_output=0, or increase the ICMP limit, if you want to help the port scanners. :-) I've added the sysctl to mute the warnings - thanks :-) Michael ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Log spam: Limiting * response from 1 to 200 packets/sec
On 13 Dec 2016, at 16:24, Michael Butler wrote: > > Any hints as to why all of my -current equipment is complaining like below. Somebody is most likely port scanning your machines. I see this all the time on boxes connected to the internet. > Is there a sysctl to moderate/turn this off? > > Dec 13 10:00:01 archive kernel: Limiting icmp unreach response from 1 to 200 > packets/sec > Dec 13 10:00:21 archive last message repeated 13 times > Dec 13 10:02:21 archive last message repeated 18 times > Dec 13 10:06:21 archive last message repeated 36 times > Dec 13 10:07:11 archive kernel: Limiting icmp ping response from 1 to 200 > packets/sec > Dec 13 10:07:55 archive kernel: Limiting icmp unreach response from 1 to 200 > packets/sec > Dec 13 10:08:21 archive last message repeated 17 times > Dec 13 10:08:37 archive kernel: Limiting closed port RST response from 4 to > 200 packets/sec > Dec 13 10:09:55 archive kernel: Limiting icmp unreach response from 1 to 200 > packets/sec > Dec 13 10:10:21 archive last message repeated 17 times > Dec 13 10:12:21 archive last message repeated 18 times > Dec 13 10:12:28 archive kernel: Limiting icmp ping response from 1 to 200 > packets/sec > Dec 13 10:13:55 archive kernel: Limiting icmp unreach response from 1 to 200 > packets/sec > Dec 13 10:14:21 archive last message repeated 17 times > Dec 13 10:16:21 archive last message repeated 18 times sysctl net.inet.icmp.icmplim_output=0, or increase the ICMP limit, if you want to help the port scanners. :-) -Dimitry signature.asc Description: Message signed with OpenPGP using GPGMail
Log spam: Limiting * response from 1 to 200 packets/sec
Any hints as to why all of my -current equipment is complaining like below. Is there a sysctl to moderate/turn this off? Dec 13 10:00:01 archive kernel: Limiting icmp unreach response from 1 to 200 packets/sec Dec 13 10:00:21 archive last message repeated 13 times Dec 13 10:02:21 archive last message repeated 18 times Dec 13 10:06:21 archive last message repeated 36 times Dec 13 10:07:11 archive kernel: Limiting icmp ping response from 1 to 200 packets/sec Dec 13 10:07:55 archive kernel: Limiting icmp unreach response from 1 to 200 packets/sec Dec 13 10:08:21 archive last message repeated 17 times Dec 13 10:08:37 archive kernel: Limiting closed port RST response from 4 to 200 packets/sec Dec 13 10:09:55 archive kernel: Limiting icmp unreach response from 1 to 200 packets/sec Dec 13 10:10:21 archive last message repeated 17 times Dec 13 10:12:21 archive last message repeated 18 times Dec 13 10:12:28 archive kernel: Limiting icmp ping response from 1 to 200 packets/sec Dec 13 10:13:55 archive kernel: Limiting icmp unreach response from 1 to 200 packets/sec Dec 13 10:14:21 archive last message repeated 17 times Dec 13 10:16:21 archive last message repeated 18 times Michael ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
