From owner-freebsd-security Fri Jun 11 17:21:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from fantasy.netreach.net (fantasy.netreach.net [205.197.101.219]) by hub.freebsd.org (Postfix) with ESMTP id 77A5A14C3C for ; Fri, 11 Jun 1999 17:21:08 -0700 (PDT) (envelope-from petef@netreach.net) Received: from static-petef.netreach.net (static-petef.netreach.net [209.116.208.124]) by fantasy.netreach.net (8.9.3/8.9.0) with SMTP id UAA24706; Fri, 11 Jun 1999 20:21:15 -0400 (EDT) Date: Fri, 11 Jun 1999 20:23:19 -0400 (EDT) From: Pete Fritchman To: Ruslan Ermilov Cc: "Jason L. Schwab" , ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls In-Reply-To: <19990612004633.A29090@relay.ucb.crimea.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did it before and it worked fine. -------------------- [ Pete Fritchman ] [ Systems Engineer ] [petef@netreach.net] -------------------- On Sat, 12 Jun 1999, Ruslan Ermilov wrote: > Date: Sat, 12 Jun 1999 00:46:33 +0300 > From: Ruslan Ermilov > To: Pete Fritchman > Cc: "Jason L. Schwab" , ghandi@mindless.com, > freebsd-security@FreeBSD.ORG > Subject: Re: firewalls > > On Fri, Jun 11, 1999 at 05:15:07PM -0400, Pete Fritchman wrote: > > You probably just want to deny all icmp to your dialup. > > > > ipfw add deny icmp from any to any > > > > -------------------- > > [ Pete Fritchman ] > > [ Systems Engineer ] > > [petef@netreach.net] > > -------------------- > > > Don't do it!!! It will broke Path MTU discovery: > http://www.worldgate.com/~marcs/mtu/ > > Instead, use ICMP_BANDLIM option: > > * Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option > * is specified in kernel config, icmplim defaults to 100 pps. Setting it > * to 0 will disable the feature. This feature limits ICMP error responses > * for packets sent to bad tcp or udp ports, which does a lot to help the > * machine handle network D.O.S. attacks. > * > * The kernel will report packet rates that exceed the limit at a rate of > * one kernel printf per second. There is one issue in regards to the > * 'tail end' of an attack... the kernel will not output the last report > * until some unrelated and valid icmp error packet is return at some > * point after the attack is over. This is a minor reporting issue only. > > > Cheers, > -- > Ruslan Ermilov Sysadmin and DBA of the > ru@ucb.crimea.ua United Commercial Bank > +380.652.247.647 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message