From owner-freebsd-net  Wed Jun  6 22:19:20 2001
Delivered-To: freebsd-net@freebsd.org
Received: from herbelot.dyndns.org (s108.dhcp212-28.cybercable.fr [212.198.28.108])
	by hub.freebsd.org (Postfix) with ESMTP
	id 30EBE37B405; Wed,  6 Jun 2001 22:19:15 -0700 (PDT)
	(envelope-from thierry@herbelot.com)
Received: from herbelot.com (multi.herbelot.nom [192.168.1.2])
	by herbelot.dyndns.org (8.9.3/8.9.3) with ESMTP id HAA04956;
	Thu, 7 Jun 2001 07:45:39 +0200 (CEST)
	(envelope-from thierry@herbelot.com)
Message-ID: <3B1F0EC3.28C7A21C@herbelot.com>
Date: Thu, 07 Jun 2001 07:18:59 +0200
From: Thierry Herbelot <thierry@herbelot.com>
X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: mi@aldan.algebra.com
Cc: question@FreeBSD.ORG, net@FreeBSD.ORG
Subject: Re: using ipfw's ``pipe'' to limit icmp traffic
References: <200106070027.f570RDW07406@misha.privatelabs.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

mi@aldan.algebra.com wrote:
> 
> Trying  to protect  our network  from  ICMP-based attacks,  I added  the
> following rules to the firewall:
> 
>         pipe 1  config bw 64Kbit/s
>         add pipe 1  log icmp from any to any in via OIF
>         add allow icmp from any to any
> 
>         (OIF is the Outside InterFace)
> 
> The assumption is, there  is not going to be _much_  of ICMP traffic, so
> if it ever needs more than 64Kbit/s, it is an attack...
> 
> This  seems to  work,  but when  I  try to  ping  something outised  the
> network, the ping  time is around 10 msec. Without  the above piping, it
> is around 0.5 msec.  It is the bandwidth, that I'm  trying to limit, not
> the minimum latency!

the pipe facility is using the kernel clock, which has a default
frequency of 100 Hz (thus the 10ms latency).

the ipfw man page suggests : "it is a good practice to run kernels with
``options HZ=1000'' to reduce the granularity to 1ms or less" (HZ=1000
should work with computers as slow as pentium-75, I'm using HZ=5000 with
P-III/450MHz)

PS : the HZ option is not documented in the LINT kernel config as it
should be

> 
> Even  more bizarre  is  that  the ping  times  are  _higher_ when  pings
> originate from  the firewall itself,  compared to those,  that originate
> from inside the firewalled network...

USTL

> 
> What am I doing wrong? Thanks!
> 
>         -mi
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message

-- 
Thierry Herbelot

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message