From owner-freebsd-questions Mon Jul 21 17:58:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA23903 for questions-outgoing; Mon, 21 Jul 1997 17:58:04 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA23894; Mon, 21 Jul 1997 17:57:50 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id KAA19390; Tue, 22 Jul 1997 10:57:03 +1000 (EST) Date: Tue, 22 Jul 1997 10:57:02 +1000 (EST) From: "Daniel O'Callaghan" To: Mike D Tancsa cc: questions@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: preventing ICMP echo requests to the broadcast address In-Reply-To: <199707211843.OAA29815@granite.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 21 Jul 1997, Mike D Tancsa wrote: > > Is there any easy way to always prevent someone from pinging the > broadcast addresses on my networks other than explicitly filtering > them using ipfw ? In /etc/rc.firewall, after the allow all from 127.0.0.1 to 127.0.0.1 rule add a rule '/sbin/ipfw add deny all from 0.0.0.255:0.0.0.255' Note that the above only blocks the broadcast address of class C networks - you should adjust if you use subnet sizes other than /24. > Also, while on the topic of ipfw, does anyone know how much processor > overhead ipfw adds to the system ? I suppose the more rules one > adds the worse it gets. But does anyone have a reasonable guestimate ? A 686-120/P150+ with 500 rules and passing 200 pps amounting to more than 512kbps runs at about 4.5% CPU in 'system'. It also depends on the number of rules each packet is compared against. /* Daniel O'Callaghan */ /* HiLink Internet danny@hilink.com.au */ /* FreeBSD - works hard, plays hard... danny@freebsd.org */