Date: Thu, 9 Oct 2003 19:29:09 -0400 From: Haesu <haesu@towardex.com> To: freebsd-isp@freebsd.org Subject: ipfw icmp unreach code response limiting Message-ID: <20031009232909.GA53805@scylla.towardex.com>
next in thread | raw e-mail | index | archive | help
Hi, By using the 'unreach <icmp code>' with ipfw, the system will drop the packet, but at the same time respond to the source with ICMP unreachable message via selected <icmp code>. Is there anyway to "rate-limit" the amount of ICMP unreach messages ipfw generates? For example, on Cisco 'ip icmp rate-limit unreach <miliseconds>' would limit the number of icmp unreachable messages generated from the router to once every <miliseconds>. What I am trying to do is, I've setup backscatter traceback technique on bunch of freebsd routers on a network using IBGP distributed blackhole method. For easier backscatter trace-back operation, I need ICMP unreachable messages responding from the router, whenever a packet routes into discard interface. On Cisco, packets routed to Null0 interface is an invalid adjacency (under cef), therefore causes a drop+unreach message. (More info about backscatter technique is at http://www.secsup.org/Tracking/) What I setup on my FreeBSD routers is, I have discard interface (ds0, or rather pseudo-device disc) setup. Any packets routed to ds0 will result in unreachable message by ipfw using following rule: ipfw add 1 unreach filter-prohib all from any to any out via ds0 And this works great, exactly the same behaviour on Cisco&Juniper when a packet is routed to Null0/discard. The only thing is, I'd like to limit the number of unreach filter-prohib messages ipfw generates back to the source to x amount of packets per second. sysctl has net.inet.icmp.icmplim which is exactly what I need, except that ipfw processes the packet _before_ it hits the routing stack, so sysctl value is futile to ipfw's unreach behaviour. Thanks for any comments/ideas :) -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031009232909.GA53805>