From owner-freebsd-net Sun Jul 18 7:17:35 1999 Delivered-To: freebsd-net@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 4E13114DDE for ; Sun, 18 Jul 1999 07:17:32 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id QAA48419; Sun, 18 Jul 1999 16:14:31 +0200 (CEST) (envelope-from des) To: net@freebsd.org Subject: pipes From: Dag-Erling Smorgrav Date: 18 Jul 1999 16:14:30 +0200 Message-ID: Lines: 52 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm having trouble setting up a pipe to limit incoming SYN traffic. First, I set up a rule to allow incoming connections to the IRC daemon: root@efnet ~# ipfw add 20 allow tcp from any to any 6666,6667 setup in 00020 allow tcp from any to any 6666,6667 in setup After some light pummelling with a join flooder, I see the following: root@efnet ~# ipfw -a l 20 00020 18 796 allow tcp from any to any 6666,6667 in setup Next, let's add a pipe to limit incoming SYNs to 2 kBps: root@efnet ~# ipfw pipe 1 config bw 2 kBytes/s root@efnet ~# ipfw add 10 pipe 1 tcp from any to any setup in 00010 pipe 1 tcp from any to any in setup root@efnet ~# ipfw zero Accounting cleared. root@efnet ~# ipfw -a l 10 20 00010 0 0 pipe 1 tcp from any to any in setup 00020 0 0 allow tcp from any to any 6666,6667 in setup Then I run my flooder again for a short while and observe: root@efnet ~# ipfw -a l 10 20 00010 46 2188 pipe 1 tcp from any to any in setup 00020 0 0 allow tcp from any to any 6666,6667 in setup root@efnet ~# ipfw pipe list 1 00001: 2.000 bit/s 0 ms 50 sl. -- 49 pkts (2332 B) 29 drops So the pipe claims to have blocked only 29 out of 49 packets, but no packets reached rule 20. At this point I have to stop testing since the server is a live one, not a test box :) (BTW, I also tried the following: root@efnet ~# sysctl -w net.inet.ip.fw.one_pass=1 net.inet.ip.fw.one_pass: 0 -> 1 root@efnet ~# ipfw add 10 pipe 1 tcp from any to 195.198.116.23 6666,6667 setup 00010 pipe 1 tcp from any to 195.198.116.23 6666,6667 setup which should make the 'pipe' rule behave like the previously used 'allow' rule when the packet isn't dropped. It didn't work; nothing got through) What am I doing wrong? DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message