Skip site navigation (1)Skip section navigation (2) 
Date:      18 Jul 1999 16:14:30 +0200
From:      Dag-Erling Smorgrav <des@flood.ping.uio.no>
To:        net@freebsd.org
Subject:   pipes
Message-ID:  <xzpyagem4e1.fsf@flood.ping.uio.no>
next in thread | raw e-mail | index | archive | help 
I'm having trouble setting up a pipe to limit incoming SYN traffic.

First, I set up a rule to allow incoming connections to the IRC
daemon:

root@efnet ~# ipfw add 20 allow tcp from any to any 6666,6667 setup in
00020 allow tcp from any to any 6666,6667 in setup

After some light pummelling with a join flooder, I see the following:

root@efnet ~# ipfw -a l 20
00020    18     796 allow tcp from any to any 6666,6667 in setup

Next, let's add a pipe to limit incoming SYNs to 2 kBps:

root@efnet ~# ipfw pipe 1 config bw 2 kBytes/s
root@efnet ~# ipfw add 10 pipe 1 tcp from any to any setup in
00010 pipe 1 tcp from any to any in setup
root@efnet ~# ipfw zero
Accounting cleared.
root@efnet ~# ipfw -a l 10 20
00010   0      0 pipe 1 tcp from any to any in setup
00020   0      0 allow tcp from any to any 6666,6667 in setup

Then I run my flooder again for a short while and observe:

root@efnet ~# ipfw -a l 10 20
00010   46    2188 pipe 1 tcp from any to any in setup
00020    0       0 allow tcp from any to any 6666,6667 in setup
root@efnet ~# ipfw pipe list 1
00001:   2.000 bit/s     0 ms  50 sl.  -- 49 pkts (2332 B) 29 drops

So the pipe claims to have blocked only 29 out of 49 packets, but no
packets reached rule 20. At this point I have to stop testing since
the server is a live one, not a test box :)

(BTW, I also tried the following:

root@efnet ~# sysctl -w net.inet.ip.fw.one_pass=1                   
net.inet.ip.fw.one_pass: 0 -> 1
root@efnet ~# ipfw add 10 pipe 1 tcp from any to 195.198.116.23 6666,6667 setup
00010 pipe 1 tcp from any to 195.198.116.23 6666,6667 setup

which should make the 'pipe' rule behave like the previously used
'allow' rule when the packet isn't dropped. It didn't work; nothing
got through)

What am I doing wrong?

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpyagem4e1.fsf>