Date: Wed, 6 Jun 2001 20:27:12 -0400 (EDT) From: mi@aldan.algebra.com To: questions@freebsd.org Subject: using ipfw's ``pipe'' to limit icmp traffic Message-ID: <200106070028.f570SPW07419@misha.privatelabs.com>
next in thread | raw e-mail | index | archive | help
Trying to protect our network from ICMP-based attacks, I added the following rules to the firewall: pipe 1 config bw 64Kbit/s add pipe 1 log icmp from any to any in via OIF add allow icmp from any to any (OIF is the Outside InterFace) The assumption is, there is not going to be _much_ of ICMP traffic, so if it ever needs more than 64Kbit/s, it is an attack... This seems to work, but when I try to ping something outised the network, the ping time is around 10 msec. Without the above piping, it is around 0.5 msec. It is the bandwidth, that I'm trying to limit, not the minimum latency! Even more bizarre is that the ping times are _higher_ when pings originate from the firewall itself, compared to those, that originate from inside the firewalled network... What am I doing wrong? Thanks! -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106070028.f570SPW07419>