Hi, I want to allow *all* icmp traffic on the firewall, but I don't want *incoming* traffic to be able to over whelm my connection, so I am going to use ipfw pipe.
I just wanted to double check and make sure what I am going to do will work the way I think it will: ... snip ... cmd="ipfw add" oif="tun0" skip="skipto 60000" ks="keep-state" # ping -s 56 -c 10 # 56 translates into 64 ICMP data bytes when combined with # the 8 bytes of ICMP header data, thus for the pipe: ipfw pipe 1 config bw 640bits/s <-- will this and queue need a rule number? $cmd add queue 1 icmp from any to any in via $oif $ks <-- rule number? ... snip ... $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state ... snip ... $cmd 200 add queue 1 icmp from any to any in via $oif $ks $cmd 201 $skip icmp from any to any out via $pif $ks $cmd 202 $skip add allow log icmp from any to any $ks ... snip ... $cmd 59999 deny all from any to any $cmd 60000 divert natd ip from any to any out via $pif $cmd 60010 allow ip from any to any ... snip ... I belive this will limit all incoming icmp traffic to 640bits/s but not any outgoing, or, replys to outgoing thus making icmp flooding imposable. Please correct me if I am wrong, (did i form the rules correctly?), or if I should go about this another way. Also, how much bandwidth does a single default sized ping packet consume? Should I raise or lower the limit, (I don't want the replies to be false or give to much slack)? This is a part that I'm not clear on at all. I don't belive more then 10 pings should be considered. Also, if I start using rules with pipes, will I need to rewrite all the rules to use pipes or will only the rules with pipes be limited and everything else will operate on default? _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
