Date: Thu, 7 Jun 2001 12:14:04 -0400 (EDT) From: "Ian P. Thomas" <ipthomas_77@yahoo.com> To: mi@aldan.algebra.com Cc: freebsd-questions@freebsd.org Subject: Re: using ipfw's ``pipe'' to limit icmp traffic Message-ID: <200106071614.MAA01227@scarlet.my.domain> In-Reply-To: <200106070028.f570SPW07419@misha.privatelabs.com> from "mi@aldan.algebra.com" at "Jun 6, 2001 08:27:12 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
I add ICMP_BANDLIM as an option in the kernel. It is used to prevent just the sort of attacks you are using your firewall for. I have seen no slow down on my ping times since implementing it. Ian In the last episode, mi@aldan.algebra.com stated... > Trying to protect our network from ICMP-based attacks, I added the > following rules to the firewall: > > pipe 1 config bw 64Kbit/s > add pipe 1 log icmp from any to any in via OIF > add allow icmp from any to any > > (OIF is the Outside InterFace) > > The assumption is, there is not going to be _much_ of ICMP traffic, so > if it ever needs more than 64Kbit/s, it is an attack... > > This seems to work, but when I try to ping something outised the > network, the ping time is around 10 msec. Without the above piping, it > is around 0.5 msec. It is the bandwidth, that I'm trying to limit, not > the minimum latency! > > Even more bizarre is that the ping times are _higher_ when pings > originate from the firewall itself, compared to those, that originate > from inside the firewalled network... > > What am I doing wrong? Thanks! > > -mi > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106071614.MAA01227>