From owner-freebsd-isp@FreeBSD.ORG Thu Oct 9 16:28:51 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C08D716A4B3 for ; Thu, 9 Oct 2003 16:28:51 -0700 (PDT) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A2BF43FE0 for ; Thu, 9 Oct 2003 16:28:49 -0700 (PDT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 150112F953; Thu, 9 Oct 2003 19:29:09 -0400 (EDT) Date: Thu, 9 Oct 2003 19:29:09 -0400 From: Haesu To: freebsd-isp@freebsd.org Message-ID: <20031009232909.GA53805@scylla.towardex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: ipfw icmp unreach code response limiting X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2003 23:28:51 -0000 Hi, By using the 'unreach ' with ipfw, the system will drop the packet, but at the same time respond to the source with ICMP unreachable message via selected . Is there anyway to "rate-limit" the amount of ICMP unreach messages ipfw generates? For example, on Cisco 'ip icmp rate-limit unreach ' would limit the number of icmp unreachable messages generated from the router to once every . What I am trying to do is, I've setup backscatter traceback technique on bunch of freebsd routers on a network using IBGP distributed blackhole method. For easier backscatter trace-back operation, I need ICMP unreachable messages responding from the router, whenever a packet routes into discard interface. On Cisco, packets routed to Null0 interface is an invalid adjacency (under cef), therefore causes a drop+unreach message. (More info about backscatter technique is at http://www.secsup.org/Tracking/) What I setup on my FreeBSD routers is, I have discard interface (ds0, or rather pseudo-device disc) setup. Any packets routed to ds0 will result in unreachable message by ipfw using following rule: ipfw add 1 unreach filter-prohib all from any to any out via ds0 And this works great, exactly the same behaviour on Cisco&Juniper when a packet is routed to Null0/discard. The only thing is, I'd like to limit the number of unreach filter-prohib messages ipfw generates back to the source to x amount of packets per second. sysctl has net.inet.icmp.icmplim which is exactly what I need, except that ipfw processes the packet _before_ it hits the routing stack, so sysctl value is futile to ipfw's unreach behaviour. Thanks for any comments/ideas :) -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN