Date: Thu, 7 Jun 2001 13:33:27 -0400 (EDT) From: mi@aldan.algebra.com To: ipthomas_77@yahoo.com Cc: freebsd-questions@freebsd.org Subject: Re: using ipfw's ``pipe'' to limit icmp traffic Message-ID: <200106071733.f57HXSW09312@misha.privatelabs.com> In-Reply-To: <200106071614.MAA01227@scarlet.my.domain>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7 Jun, Ian P. Thomas wrote: > I add ICMP_BANDLIM as an option in the kernel. It is used to > prevent just the sort of attacks you are using your firewall for. I have > seen no slow down on my ping times since implementing it. Mmmm, but will it protect the whole network, or just this machine? Yours, -mi > Ian > > In the last episode, mi@aldan.algebra.com stated... >> Trying to protect our network from ICMP-based attacks, I added the >> following rules to the firewall: >> >> pipe 1 config bw 64Kbit/s >> add pipe 1 log icmp from any to any in via OIF >> add allow icmp from any to any >> >> (OIF is the Outside InterFace) >> >> The assumption is, there is not going to be _much_ of ICMP traffic, so >> if it ever needs more than 64Kbit/s, it is an attack... >> >> This seems to work, but when I try to ping something outised the >> network, the ping time is around 10 msec. Without the above piping, it >> is around 0.5 msec. It is the bandwidth, that I'm trying to limit, not >> the minimum latency! >> >> Even more bizarre is that the ping times are _higher_ when pings >> originate from the firewall itself, compared to those, that originate >> from inside the firewalled network... >> >> What am I doing wrong? Thanks! >> >> -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106071733.f57HXSW09312>