On 19 =CE=CF=D1=C2, 09:04, [EMAIL PROTECTED] (Ryan McBride) wrote:
> Typically the performance costs of packet handling depends more on the
> number of packets, not the size of the packets.
You wrote below right thing - sometimes bandwidth costs more.
> So a smart attacker will
> send many small packets rather than fewer, bigger packets anyways.
I don't know, we had stupid attackers or it was just botnets =3D)
>
> Of course if you're concerned about your upstream bandwidth being
> consumed, whether you drop it on the firewall or not makes little
> difference.
Well, it's matter of argument - I'd like to block it anyway cause we
are ISP and don't want to get complains from upstreams.
>
> My personal suggestion would be to decide how much ICMP traffic you're
> willing to handle, and rate-limit it with altq rather than trying to
> sent arbitrary packet size limits, which may have unintended side
> effects.
It's slightly more difficult, isn't it, from admin's sight of view and
from packet filter sight of view? Isn't simplier just analyze a bit of
packet header (to see packet size) instead of making a lot of actions
with analyzing, redirecting, queueing etc?
> 1) It's not clear to me why you don't want it to return the default ICMP
> unreachable/port unreachable. But sure, suit yourself.
"Unreachable" could be because of problem with network, channel etc,
while "admin prohibited" cleary shows truly reason.
>
> 2) This feature has existed in PF from the beginning. See pf.conf(5):
>
> =9A =9A return-icmp
> =9A =9A return-icmp6
> =9A =9A =9A =9A =9AThis causes ICMP messages to be returned for packets w=
hich
> =9A =9A =9A =9A =9Amatch the rule. =9ABy default this is an ICMP UNREACHA=
BLE mes-
> =9A =9A =9A =9A =9Asage, however this can be overridden by specifying a m=
essage
> =9A =9A =9A =9A =9Aas a code or number.
>
> and
>
> =9A =9A =9Areturn =9A =9A=3D "drop" | "return" | "return-rst" [ "( ttl" n=
umber ")" ] |
> =9A =9A =9A =9A =9A =9A "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code =
] ")" ] |
> =9A =9A =9A =9A =9A =9A "return-icmp6" [ "(" icmp6code ")" ]
>
> i.e. 'block return-icmp ( host-prohib ) in'
>
> For example:
>
> block return-icmp ( host-prohib ) in
Wow, I can't imagine how I skipped this one while reading docs and
FAQ. Thanks a lot...but it doesn't work for me and I don't understand
why:
=3D=3D=3D
[EMAIL PROTECTED]:/etc (745) pfctl -sr -v
block return-icmp(filter-prohib) in quick inet proto icmp from
10.53.0.100 to any
[ Evaluations: 4097 Packets: 28 Bytes: 2352
States: 0 ]
[ Inserted: uid 0 pid 10110 ]
[EMAIL PROTECTED]:/etc (746) tcpdump -nti em1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
IP 10.53.0.100 > 213.180.xxx.8: ICMP echo request, id 9273, seq 467,
length 64
IP 10.53.0.100 > 213.180.xxx.8: ICMP echo request, id 9273, seq 468,
length 64
IP 10.53.0.100 > 213.180.xxx.8: ICMP echo request, id 9273, seq 469,
length 64
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[EMAIL PROTECTED]:/etc (747)
=3D=3D=3D
>
> > P.S. By the way, no chance to shaping like ipfw(dummynet), by getting
> > mask for all ip addresses? It's the last reason to stay with ipfw:
>
> No, there is nothing like this in PF right now. It's on my list of
> things to look at, but that list grows faster than I can get things
> done...
=3D))
We still hoping and believing, Ryan! ;-)
