Date: Tue, 22 Jul 1997 10:57:02 +1000 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Mike D Tancsa <mdtancsa@sentex.net> Cc: questions@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: preventing ICMP echo requests to the broadcast address Message-ID: <Pine.BSF.3.91.970722105001.869Q-100000@panda.hilink.com.au> In-Reply-To: <199707211843.OAA29815@granite.sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 Jul 1997, Mike D Tancsa wrote: > > Is there any easy way to always prevent someone from pinging the > broadcast addresses on my networks other than explicitly filtering > them using ipfw ? In /etc/rc.firewall, after the allow all from 127.0.0.1 to 127.0.0.1 rule add a rule '/sbin/ipfw add deny all from 0.0.0.255:0.0.0.255' Note that the above only blocks the broadcast address of class C networks - you should adjust if you use subnet sizes other than /24. > Also, while on the topic of ipfw, does anyone know how much processor > overhead ipfw adds to the system ? I suppose the more rules one > adds the worse it gets. But does anyone have a reasonable guestimate ? A 686-120/P150+ with 500 rules and passing 200 pps amounting to more than 512kbps runs at about 4.5% CPU in 'system'. It also depends on the number of rules each packet is compared against. /* Daniel O'Callaghan */ /* HiLink Internet <http://www.hilink.com.au/>; danny@hilink.com.au */ /* FreeBSD - works hard, plays hard... danny@freebsd.org */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970722105001.869Q-100000>