Date: Thu, 7 Jun 2001 15:24:07 -0400 (EDT) From: "Ian P. Thomas" <ipthomas_77@yahoo.com> To: mi@aldan.algebra.com Cc: freebsd-questions@freebsd.org Subject: Re: using ipfw's ``pipe'' to limit icmp traffic Message-ID: <200106071924.PAA08862@scarlet.my.domain> In-Reply-To: <no.id> from "mi@aldan.algebra.com" at Jun 07, 2001 01:33:27 PM
next in thread | previous in thread | raw e-mail | index | archive | help
I'm going to assume just that machine. LINT doesn't say much about it, and I couldn't find anymore info elsewhere. Maybe someone else on the list knows where to find more info on this feature? Ian In the last episode, mi@aldan.algebra.com stated... > > On 7 Jun, Ian P. Thomas wrote: > > I add ICMP_BANDLIM as an option in the kernel. It is used to > > prevent just the sort of attacks you are using your firewall for. I have > > seen no slow down on my ping times since implementing it. > > Mmmm, but will it protect the whole network, or just this machine? > Yours, > > -mi > > > Ian > > > > In the last episode, mi@aldan.algebra.com stated... > >> Trying to protect our network from ICMP-based attacks, I added the > >> following rules to the firewall: > >> > >> pipe 1 config bw 64Kbit/s > >> add pipe 1 log icmp from any to any in via OIF > >> add allow icmp from any to any > >> > >> (OIF is the Outside InterFace) > >> > >> The assumption is, there is not going to be _much_ of ICMP traffic, so > >> if it ever needs more than 64Kbit/s, it is an attack... > >> > >> This seems to work, but when I try to ping something outised the > >> network, the ping time is around 10 msec. Without the above piping, it > >> is around 0.5 msec. It is the bandwidth, that I'm trying to limit, not > >> the minimum latency! > >> > >> Even more bizarre is that the ping times are _higher_ when pings > >> originate from the firewall itself, compared to those, that originate > >> from inside the firewalled network... > >> > >> What am I doing wrong? Thanks! > >> > >> -mi > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106071924.PAA08862>