PF, packet sizes and icmp replies

Tue, 18 Nov 2008 11:03:07 -0800 

Today I was shocked when I found, what PF doesn't support filtering by
packets size and can't answer by admin-generated icmp code (for
example, by icmp code 1 "admin. prohibited"). And don't tell me that
it is useless.
Packets size: We already had users attacks, then huge count of full-
sized icmp-packets (echoreq) brings our network/servers down. In IPFW
filter we might avoid it by just one simple rule - "$ipfw add 123 deny
icmp from any to any iplen 500-1500 in". In PF we could have almost
nothing -"max-conn-rate" works only with TCP.
Admin-generated icmp codes: With IPFW we could return icmp code 1 then
user tried to connect to closed ports (especially with SMTP port for
spammers) . With PF we could block only by silent drop, or ICMP
unreachable. It's not enough.

So, is there any chances to see this functions in the foreseeable
future?
PF is almost my love, it's damn good filter...but only for some rules.
%-(

P.S. By the way, no chance to shaping like ipfw(dummynet), by getting
mask for all ip addresses? It's the last reason to stay with ipfw:

man ipfw:
----------------------------
     mask mask-specifier
           Packets sent to a given pipe or queue by an ipfw rule can
be fur-
           ther classified into multiple flows, each of which is then
sent to
           a different dynamic pipe or queue.  A flow identifier is
con-
           structed by masking the IP addresses, ports and protocol
types as
           specified with the mask options in the configuration of the
pipe or
           queue.  For each different flow identifier, a new pipe or
queue is
           created with the same parameters as the original object,
and match-
           ing packets are sent to it.

           Thus, when dynamic pipes are used, each flow will get the
same
           bandwidth as defined by the pipe, whereas when dynamic
queues are
           used, each flow will share the parent's pipe bandwidth
evenly with
           other flows generated by the same queue (note that other
queues
           with different weights might be connected to the same
pipe).
           Available mask specifiers are a combination of one or more
of the
           following:

           dst-ip mask, dst-ip6 mask, src-ip mask, src-ip6 mask, dst-
port
           mask, src-port mask, flow-id mask, proto mask or all,

           where the latter means all bits in all fields are
significant.
----------------------------

Reply via email to