From owner-freebsd-questions@FreeBSD.ORG Thu Apr 7 16:51:44 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F2A616A4CE for ; Thu, 7 Apr 2005 16:51:44 +0000 (GMT) Received: from jail.idea-anvil.net (idea-anvil.net [63.226.12.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD1A843D2D for ; Thu, 7 Apr 2005 16:51:43 +0000 (GMT) (envelope-from aksis@idea-anvil.net) Received: from idea-anvil.net (vaio [10.0.0.99]) by jail.idea-anvil.net (8.12.11/8.12.9) with ESMTP id j37Gpgoj045946 for ; Thu, 7 Apr 2005 09:51:42 -0700 (MST) (envelope-from aksis@idea-anvil.net) From: aksis@idea-anvil.net To: freebsd-questions@freebsd.org Date: Thu, 7 Apr 2005 09:51:37 -0700 User-Agent: KMail/1.8 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504070951.38865.aksis@idea-anvil.net> Subject: ipfw + pipe and icmp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2005 16:51:44 -0000 Hi, I want to allow *all* icmp traffic on the firewall, but I don't want *incoming* traffic to be able to over whelm my connection, so I am going to use ipfw pipe. I just wanted to double check and make sure what I am going to do will work the way I think it will: ... snip ... cmd="ipfw add" oif="tun0" skip="skipto 60000" ks="keep-state" # ping -s 56 -c 10 # 56 translates into 64 ICMP data bytes when combined with # the 8 bytes of ICMP header data, thus for the pipe: ipfw pipe 1 config bw 640bits/s <-- will this and queue need a rule number? $cmd add queue 1 icmp from any to any in via $oif $ks <-- rule number? ... snip ... $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state ... snip ... $cmd 200 add queue 1 icmp from any to any in via $oif $ks $cmd 201 $skip icmp from any to any out via $pif $ks $cmd 202 $skip add allow log icmp from any to any $ks ... snip ... $cmd 59999 deny all from any to any $cmd 60000 divert natd ip from any to any out via $pif $cmd 60010 allow ip from any to any ... snip ... I belive this will limit all incoming icmp traffic to 640bits/s but not any outgoing, or, replys to outgoing thus making icmp flooding imposable. Please correct me if I am wrong, (did i form the rules correctly?), or if I should go about this another way. Also, how much bandwidth does a single default sized ping packet consume? Should I raise or lower the limit, (I don't want the replies to be false or give to much slack)? This is a part that I'm not clear on at all. I don't belive more then 10 pings should be considered. Also, if I start using rules with pipes, will I need to rewrite all the rules to use pipes or will only the rules with pipes be limited and everything else will operate on default?