From owner-freebsd-questions  Thu Jun  7 10:34:58 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179])
	by hub.freebsd.org (Postfix) with ESMTP id F02AF37B405
	for <freebsd-questions@freebsd.org>; Thu,  7 Jun 2001 10:34:55 -0700 (PDT)
	(envelope-from mi@aldan.algebra.com)
Received: from misha.privatelabs.com (root@[66.9.25.166])
	by corbulon.video-collage.com (8.11.3/8.11.3) with ESMTP id f57HYtj26740;
	Thu, 7 Jun 2001 13:34:55 -0400 (EDT)
	(envelope-from mi@aldan.algebra.com)
X-Relay-IP: 66.9.25.166
Received: from misha.privatelabs.com (mi@localhost [127.0.0.1])
	by misha.privatelabs.com (8.11.3/8.11.1) with ESMTP id f57HXSW09312;
	Thu, 7 Jun 2001 13:33:30 -0400 (EDT)
	(envelope-from mi@aldan.algebra.com)
Message-Id: <200106071733.f57HXSW09312@misha.privatelabs.com>
Date: Thu, 7 Jun 2001 13:33:27 -0400 (EDT)
From: mi@aldan.algebra.com
Reply-To: mi@aldan.algebra.com
Subject: Re: using ipfw's ``pipe'' to limit icmp traffic
To: ipthomas_77@yahoo.com
Cc: freebsd-questions@freebsd.org
In-Reply-To: <200106071614.MAA01227@scarlet.my.domain>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On  7 Jun, Ian P. Thomas wrote:
> 	I add ICMP_BANDLIM as an option in the kernel.  It is used to
> prevent just the sort of attacks you are using your firewall for.  I have
> seen no slow down on my ping times since implementing it.

Mmmm, but will it protect the whole network, or just this machine?
Yours,

	-mi

> Ian
> 
> In the last episode, mi@aldan.algebra.com stated...
>> Trying  to protect  our network  from  ICMP-based attacks,  I added  the
>> following rules to the firewall:
>> 
>> 	pipe 1  config bw 64Kbit/s
>> 	add pipe 1  log icmp from any to any in via OIF
>> 	add allow icmp from any to any
>> 
>> 	(OIF is the Outside InterFace)
>> 
>> The assumption is, there  is not going to be _much_  of ICMP traffic, so
>> if it ever needs more than 64Kbit/s, it is an attack...
>> 
>> This  seems to  work,  but when  I  try to  ping  something outised  the
>> network, the ping  time is around 10 msec. Without  the above piping, it
>> is around 0.5 msec.  It is the bandwidth, that I'm  trying to limit, not
>> the minimum latency!
>> 
>> Even  more bizarre  is  that  the ping  times  are  _higher_ when  pings
>> originate from  the firewall itself,  compared to those,  that originate
>> from inside the firewalled network...
>> 
>> What am I doing wrong? Thanks!
>> 
>> 	-mi



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message