Date: Fri, 11 Jun 1999 20:23:19 -0400 (EDT) From: Pete Fritchman <petef@netreach.net> To: Ruslan Ermilov <ru@ucb.crimea.ua> Cc: "Jason L. Schwab" <jschwab@royal.net>, ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls Message-ID: <Pine.LNX.3.96.990611202315.5891A-100000@static-petef.netreach.net> In-Reply-To: <19990612004633.A29090@relay.ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
I did it before and it worked fine. -------------------- [ Pete Fritchman ] [ Systems Engineer ] [petef@netreach.net] -------------------- On Sat, 12 Jun 1999, Ruslan Ermilov wrote: > Date: Sat, 12 Jun 1999 00:46:33 +0300 > From: Ruslan Ermilov <ru@ucb.crimea.ua> > To: Pete Fritchman <petef@netreach.net> > Cc: "Jason L. Schwab" <jschwab@royal.net>, ghandi@mindless.com, > freebsd-security@FreeBSD.ORG > Subject: Re: firewalls > > On Fri, Jun 11, 1999 at 05:15:07PM -0400, Pete Fritchman wrote: > > You probably just want to deny all icmp to your dialup. > > > > ipfw add deny icmp from any to any > > > > -------------------- > > [ Pete Fritchman ] > > [ Systems Engineer ] > > [petef@netreach.net] > > -------------------- > > > Don't do it!!! It will broke Path MTU discovery: > http://www.worldgate.com/~marcs/mtu/ > > Instead, use ICMP_BANDLIM option: > > * Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option > * is specified in kernel config, icmplim defaults to 100 pps. Setting it > * to 0 will disable the feature. This feature limits ICMP error responses > * for packets sent to bad tcp or udp ports, which does a lot to help the > * machine handle network D.O.S. attacks. > * > * The kernel will report packet rates that exceed the limit at a rate of > * one kernel printf per second. There is one issue in regards to the > * 'tail end' of an attack... the kernel will not output the last report > * until some unrelated and valid icmp error packet is return at some > * point after the attack is over. This is a minor reporting issue only. > > > Cheers, > -- > Ruslan Ermilov Sysadmin and DBA of the > ru@ucb.crimea.ua United Commercial Bank > +380.652.247.647 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96.990611202315.5891A-100000>