From owner-freebsd-security Fri Jan 21 18:16:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3498D14DCB for ; Fri, 21 Jan 2000 18:16:14 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id DAA32604; Sat, 22 Jan 2000 03:16:07 +0100 (CET) (envelope-from des@flood.ping.uio.no) To: Keith Stevenson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c References: <4.2.2.20000120194543.019a8d50@localhost> <20000121162757.A7080@osaka.louisville.edu> From: Dag-Erling Smorgrav Date: 22 Jan 2000 03:16:07 +0100 In-Reply-To: Keith Stevenson's message of "Fri, 21 Jan 2000 16:27:57 -0500" Message-ID: Lines: 19 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Keith Stevenson writes: > I was very happy with my FreeBSD servers. All are 3.4-STABLE with > options "ICMP_BANDLIM" in the kernel. One of the machines I tested had > TCP_RESTRICT_RST enabled. > > The ICMP_BANDLIM seemed to be the life saver. I got tons of > "icmp-response bandwidth limit" messages in my syslog, but the load didn't > climb and I was still able to provide network services from the target host. > The machine which was running TCP_RESTRICT_RST in addition to ICMP_BANDLIM > behaved exactly like the one without TCP_RESTRICT_RST. That's because the ICML_BANDLIM code comes *before* the TCP_RESTRICT_RST code, and costs more to run. A kernel with TCP_RESTRICT_RST but no ICMP_BANDLIM will fare better than a kernel with ICMP_BANDLIM. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message