Date: Thu, 07 Jun 2001 07:18:59 +0200 From: Thierry Herbelot <thierry@herbelot.com> To: mi@aldan.algebra.com Cc: question@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: using ipfw's ``pipe'' to limit icmp traffic Message-ID: <3B1F0EC3.28C7A21C@herbelot.com> References: <200106070027.f570RDW07406@misha.privatelabs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
mi@aldan.algebra.com wrote: > > Trying to protect our network from ICMP-based attacks, I added the > following rules to the firewall: > > pipe 1 config bw 64Kbit/s > add pipe 1 log icmp from any to any in via OIF > add allow icmp from any to any > > (OIF is the Outside InterFace) > > The assumption is, there is not going to be _much_ of ICMP traffic, so > if it ever needs more than 64Kbit/s, it is an attack... > > This seems to work, but when I try to ping something outised the > network, the ping time is around 10 msec. Without the above piping, it > is around 0.5 msec. It is the bandwidth, that I'm trying to limit, not > the minimum latency! the pipe facility is using the kernel clock, which has a default frequency of 100 Hz (thus the 10ms latency). the ipfw man page suggests : "it is a good practice to run kernels with ``options HZ=1000'' to reduce the granularity to 1ms or less" (HZ=1000 should work with computers as slow as pentium-75, I'm using HZ=5000 with P-III/450MHz) PS : the HZ option is not documented in the LINT kernel config as it should be > > Even more bizarre is that the ping times are _higher_ when pings > originate from the firewall itself, compared to those, that originate > from inside the firewalled network... USTL > > What am I doing wrong? Thanks! > > -mi > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- Thierry Herbelot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B1F0EC3.28C7A21C>