Date: 22 Jan 2000 03:16:07 +0100 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Keith Stevenson <k.stevenson@louisville.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c Message-ID: <xzpk8l2lul4.fsf@flood.ping.uio.no> In-Reply-To: Keith Stevenson's message of "Fri, 21 Jan 2000 16:27:57 -0500" References: <4.2.2.20000120194543.019a8d50@localhost> <Pine.BSF.4.10.10001211419010.3943-100000@tetron02.tetronsoftware.com> <20000121162757.A7080@osaka.louisville.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Keith Stevenson <k.stevenson@louisville.edu> writes: > I was very happy with my FreeBSD servers. All are 3.4-STABLE with > options "ICMP_BANDLIM" in the kernel. One of the machines I tested had > TCP_RESTRICT_RST enabled. > > The ICMP_BANDLIM seemed to be the life saver. I got tons of > "icmp-response bandwidth limit" messages in my syslog, but the load didn't > climb and I was still able to provide network services from the target host. > The machine which was running TCP_RESTRICT_RST in addition to ICMP_BANDLIM > behaved exactly like the one without TCP_RESTRICT_RST. That's because the ICML_BANDLIM code comes *before* the TCP_RESTRICT_RST code, and costs more to run. A kernel with TCP_RESTRICT_RST but no ICMP_BANDLIM will fare better than a kernel with ICMP_BANDLIM. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpk8l2lul4.fsf>