Date: Sat, 12 Jun 1999 03:52:36 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: Pete Fritchman <petef@netreach.net> Cc: "Jason L. Schwab" <jschwab@royal.net>, ghandi@mindless.com, freebsd-security@FreeBSD.ORG Subject: Re: firewalls Message-ID: <19990612035236.A65868@relay.ucb.crimea.ua> In-Reply-To: <Pine.LNX.3.96.990611202315.5891A-100000@static-petef.netreach.net>; from Pete Fritchman on Fri, Jun 11, 1999 at 08:23:19PM -0400 References: <19990612004633.A29090@relay.ucb.crimea.ua> <Pine.LNX.3.96.990611202315.5891A-100000@static-petef.netreach.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 11, 1999 at 08:23:19PM -0400, Pete Fritchman wrote: > I did it before and it worked fine. > Well, it worked fine for you(!) because almost every site in a today's world has a link with MTU >= 1500. The first symptom of this misconfiguration is the mail delivery problems. Some time ago we had a SLIP link with MTU=552. I had problems receiving mail from hosts which totally block ICMP. First time it happened with hub.FreeBSD.ORG, when crl.net (their provider) started to block ICMP. I've tired to explain sysadmins that blocking ICMP breaks PMTU discovery and could cause mail delivery problems. Now I have MTU=1500 and don't suffer from the ignorance of stupid sysadmins :-) P.S. Try to set your link's MTU to something greater that 1500 (if you can), then totally block ICMP and see how it goes. > On Sat, 12 Jun 1999, Ruslan Ermilov wrote: > > > Date: Sat, 12 Jun 1999 00:46:33 +0300 > > From: Ruslan Ermilov <ru@ucb.crimea.ua> > > To: Pete Fritchman <petef@netreach.net> > > Cc: "Jason L. Schwab" <jschwab@royal.net>, ghandi@mindless.com, > > freebsd-security@FreeBSD.ORG > > Subject: Re: firewalls > > > > On Fri, Jun 11, 1999 at 05:15:07PM -0400, Pete Fritchman wrote: > > > You probably just want to deny all icmp to your dialup. > > > > > > ipfw add deny icmp from any to any > > > > > > -------------------- > > > [ Pete Fritchman ] > > > [ Systems Engineer ] > > > [petef@netreach.net] > > > -------------------- > > > > > Don't do it!!! It will broke Path MTU discovery: > > http://www.worldgate.com/~marcs/mtu/ > > > > Instead, use ICMP_BANDLIM option: > > > > * Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option > > * is specified in kernel config, icmplim defaults to 100 pps. Setting it > > * to 0 will disable the feature. This feature limits ICMP error responses > > * for packets sent to bad tcp or udp ports, which does a lot to help the > > * machine handle network D.O.S. attacks. > > * > > * The kernel will report packet rates that exceed the limit at a rate of > > * one kernel printf per second. There is one issue in regards to the > > * 'tail end' of an attack... the kernel will not output the last report > > * until some unrelated and valid icmp error packet is return at some > > * point after the attack is over. This is a minor reporting issue only. > > -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990612035236.A65868>