Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Apr 2005 09:51:37 -0700
From:      aksis@idea-anvil.net
To:        freebsd-questions@freebsd.org
Subject:   ipfw + pipe and icmp
Message-ID:  <200504070951.38865.aksis@idea-anvil.net>
next in thread | raw e-mail | index | archive | help 
Hi,

I want to allow *all* icmp traffic on the firewall, but I don't want 
*incoming* traffic to be able to over whelm my connection, so I am going to 
use ipfw pipe.

I just wanted to double check and make sure what I am going to do will work 
the way I think it will:

... snip ...
cmd="ipfw add"
oif="tun0"
skip="skipto 60000"
ks="keep-state"

#  ping -s 56 -c 10 
# 56 translates into 64 ICMP data bytes when combined with 
# the 8 bytes of ICMP header data, thus for the pipe:
ipfw pipe 1 config bw 640bits/s <-- will this and queue need a rule number?
$cmd add queue 1 icmp from any to any in via $oif $ks <--      rule number? 
... snip ...
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
... snip ...
$cmd 200 add queue 1 icmp from any to any in via $oif $ks
$cmd 201 $skip icmp from any to any out via $pif $ks
$cmd 202 $skip add allow log icmp from any to any $ks
... snip ...
$cmd 59999 deny all from any to any
$cmd 60000 divert natd ip from any to any out via $pif
$cmd 60010 allow ip from any to any
... snip ...

I belive this will limit all incoming icmp traffic to 640bits/s but not any 
outgoing, or, replys to outgoing thus making icmp flooding imposable. Please 
correct me if I am wrong, (did i form the rules correctly?), or if I should 
go about this another way.

Also, how much bandwidth does a single default sized ping packet consume? 
Should I raise or lower the limit, (I don't want the replies to be false or 
give to much slack)? This is a part that I'm not clear on at all. I don't 
belive more then 10 pings should be considered.

Also, if I start using rules with pipes, will I need to rewrite all the rules 
to use pipes or will only the rules with pipes be limited and everything else 
will operate on default?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504070951.38865.aksis>