From owner-freebsd-questions  Thu Jun  7 12:25:18 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.121.49])
	by hub.freebsd.org (Postfix) with ESMTP id 0F67537B403
	for <freebsd-questions@freebsd.org>; Thu,  7 Jun 2001 12:25:15 -0700 (PDT)
	(envelope-from ipthomas_77@yahoo.com)
Received: from scarlet.my.domain (1Cust73.tnt13.buffalo.ny.da.uu.net [63.36.56.73])
	by scaup.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id MAA10265;
	Thu, 7 Jun 2001 12:25:12 -0700 (PDT)
Received: (from ipt@localhost)
	by scarlet.my.domain (8.9.3/8.9.3) id PAA08862;
	Thu, 7 Jun 2001 15:24:08 -0400 (EDT)
	(envelope-from ipt)
From: "Ian P. Thomas" <ipthomas_77@yahoo.com>
Message-Id: <200106071924.PAA08862@scarlet.my.domain>
Subject: Re: using ipfw's ``pipe'' to limit icmp traffic
To: mi@aldan.algebra.com
Date: Thu, 7 Jun 2001 15:24:07 -0400 (EDT)
Cc: freebsd-questions@freebsd.org
In-Reply-To: <no.id> from "mi@aldan.algebra.com" at Jun 07, 2001 01:33:27 PM
X-Mailer: ELM [version 2.5 PL5]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

	I'm going to assume just that machine.  LINT doesn't say much about
it, and I couldn't find anymore info elsewhere.  Maybe someone else on the
list knows where to find more info on this feature?

Ian

In the last episode, mi@aldan.algebra.com stated...
> 
> On  7 Jun, Ian P. Thomas wrote:
> > 	I add ICMP_BANDLIM as an option in the kernel.  It is used to
> > prevent just the sort of attacks you are using your firewall for.  I have
> > seen no slow down on my ping times since implementing it.
> 
> Mmmm, but will it protect the whole network, or just this machine?
> Yours,
> 
> 	-mi
> 
> > Ian
> > 
> > In the last episode, mi@aldan.algebra.com stated...
> >> Trying  to protect  our network  from  ICMP-based attacks,  I added  the
> >> following rules to the firewall:
> >> 
> >> 	pipe 1  config bw 64Kbit/s
> >> 	add pipe 1  log icmp from any to any in via OIF
> >> 	add allow icmp from any to any
> >> 
> >> 	(OIF is the Outside InterFace)
> >> 
> >> The assumption is, there  is not going to be _much_  of ICMP traffic, so
> >> if it ever needs more than 64Kbit/s, it is an attack...
> >> 
> >> This  seems to  work,  but when  I  try to  ping  something outised  the
> >> network, the ping  time is around 10 msec. Without  the above piping, it
> >> is around 0.5 msec.  It is the bandwidth, that I'm  trying to limit, not
> >> the minimum latency!
> >> 
> >> Even  more bizarre  is  that  the ping  times  are  _higher_ when  pings
> >> originate from  the firewall itself,  compared to those,  that originate
> >> from inside the firewalled network...
> >> 
> >> What am I doing wrong? Thanks!
> >> 
> >> 	-mi
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message