No need to shut it down; no harm is being caused, but you should solve the problem when you can as your TCP is behaving oddly.
I'm curious, what version of FreeBSD are you running? Amprgw is a FreeBSD 10.3 host and it doesn't do this as far as I can tell. It does not use the in-kernel IPIP encapsulation though.
I wonder if we've uncovered a kernel encap bug? The normal FreeBSD network stack is very well proven, but I don't think very many people use the in-kernel IPIP encap.
You might want to consider some of the suggestions for tuning high-volume hosts, such as limiting ICMP replies, adjusting tcp.msl, and so on. Google for 'freebsd network tuning' for some helpful suggestions. Rate limiting ICMP is probably a good place to start. Try sysctl net.inet.icmp.icmplim=5 - Brian
On Wed, Apr 26, 2017 at 11:42:03PM -0700, Jeremy Cooper wrote:
This is my gateway. I'll shut it down until I can figure out what is happening. I run FreeBSD and 44ripd, so that's why I am unusual.
Someone did indeed try a very aggressive portscan from a very diverse set of hosts against me recently:
Apr 26 21:28:33 bbs kernel: Limiting closed port RST response from 402 to 200 packets/sec Apr 26 21:31:45 bbs kernel: Limiting closed port RST response from 208 to 200 packets/sec Apr 26 21:31:48 bbs kernel: Limiting closed port RST response from 395 to 200 packets/sec
-J
On Apr 26, 2017, at 20:30, Brian Kantor Brian@UCSD.Edu wrote:
A few times a minute, a host claiming to be ke6jjj-8 (44.4.39.8) is sending an encapped packet that is peculiar: it is either 40 or 44 ...