From owner-freebsd-questions  Wed Jun  6 17:28:34 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179])
	by hub.freebsd.org (Postfix) with ESMTP id C6CCE37B401
	for <questions@freebsd.org>; Wed,  6 Jun 2001 17:28:30 -0700 (PDT)
	(envelope-from mi@aldan.algebra.com)
Received: from misha.privatelabs.com (root@[66.9.25.166])
	by corbulon.video-collage.com (8.11.3/8.11.3) with ESMTP id f570SSj16640
	for <questions@freebsd.org>; Wed, 6 Jun 2001 20:28:29 -0400 (EDT)
	(envelope-from mi@aldan.algebra.com)
X-Relay-IP: 66.9.25.166
Received: from misha.privatelabs.com (mi@localhost [127.0.0.1])
	by misha.privatelabs.com (8.11.3/8.11.1) with ESMTP id f570SPW07419
	for <questions@freebsd.org>; Wed, 6 Jun 2001 20:28:26 -0400 (EDT)
	(envelope-from mi@aldan.algebra.com)
Message-Id: <200106070028.f570SPW07419@misha.privatelabs.com>
Date: Wed, 6 Jun 2001 20:27:12 -0400 (EDT)
From: mi@aldan.algebra.com
Reply-To: mi@aldan.algebra.com
Subject: using ipfw's ``pipe'' to limit icmp traffic
To: questions@freebsd.org
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Trying  to protect  our network  from  ICMP-based attacks,  I added  the
following rules to the firewall:

	pipe 1  config bw 64Kbit/s
	add pipe 1  log icmp from any to any in via OIF
	add allow icmp from any to any

	(OIF is the Outside InterFace)

The assumption is, there  is not going to be _much_  of ICMP traffic, so
if it ever needs more than 64Kbit/s, it is an attack...

This  seems to  work,  but when  I  try to  ping  something outised  the
network, the ping  time is around 10 msec. Without  the above piping, it
is around 0.5 msec.  It is the bandwidth, that I'm  trying to limit, not
the minimum latency!

Even  more bizarre  is  that  the ping  times  are  _higher_ when  pings
originate from  the firewall itself,  compared to those,  that originate
from inside the firewalled network...

What am I doing wrong? Thanks!

	-mi






To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message