From owner-freebsd-questions@FreeBSD.ORG  Fri Jul 28 07:42:23 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6AD6216A4DF
	for <freebsd-questions@freebsd.org>;
	Fri, 28 Jul 2006 07:42:23 +0000 (UTC)
	(envelope-from nvass@teledomenet.gr)
Received: from matrix.teledomenet.gr (dns1.teledomenet.gr [213.142.128.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C4B9043D5F
	for <freebsd-questions@freebsd.org>;
	Fri, 28 Jul 2006 07:42:20 +0000 (GMT)
	(envelope-from nvass@teledomenet.gr)
Received: from iris ([192.168.1.71])
	by matrix.teledomenet.gr (8.12.10/8.12.10) with ESMTP id k6S7gJEY021889;
	Fri, 28 Jul 2006 10:42:19 +0300
From: Nikos Vassiliadis <nvass@teledomenet.gr>
To: freebsd-questions@freebsd.org
Date: Fri, 28 Jul 2006 10:40:12 +0300
User-Agent: KMail/1.9.1
References: <20060728001202.W17979@ganymede.hub.org>
	<20060728002433.E17979@ganymede.hub.org>
In-Reply-To: <20060728002433.E17979@ganymede.hub.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200607281040.13292.nvass@teledomenet.gr>
Cc: User Freebsd <freebsd@hub.org>
Subject: Re: icmp packets - disabling via sysctl, or cisco switch ... ?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2006 07:42:23 -0000

On Friday 28 July 2006 06:26, User Freebsd wrote:
> Just an appendum, but this is what I'm seeing in /var/log/messages right
> now:
>
> Jul 28 00:22:37 io kernel: Limiting icmp unreach response from 6255 to 200
> packets/sec Jul 28 00:22:38 io kernel: Limiting icmp unreach response from
> 6515 to 200 packets/sec Jul 28 00:22:39 io kernel: Limiting icmp unreach
> response from 6646 to 200 packets/sec ^C
>
> And its been going on for several hours now ... :(

Yes it is just FreeBSD behaving cleverly and limiting the number
of ICMP replies. These two sysctls are of interest:
net.inet.icmp.icmplim: Maximum number of ICMP responses per second
net.inet.icmp.icmplim_output: Enable rate limiting of ICMP responses

Somebody is probably flood pinging your server. You can do
several things.
1) block particular (addresses|proto) from your upstream router.
     This way "bad" traffic will not reach your box.
2) block particular (addresses|proto) from your box. This
     way the "attacker" will not know if your box is up and running.
     Not much gain, since traffic will load your box anyway.

Limit the number of ICMP replies to 5 or 10 per second. Won't
help at all with your situation, but it is a good value for normal
use.

HTH, Nikos