Re: rate limit echo request

2020-01-23 Thread myml...@gmx.com 

On 1/23/20 1:35 AM, Jesper Wallin wrote:

Hi,

Use the max-pkt-rate parameter instead.  It does exactly what you think
it does and is thoroughly covered in pf.conf(5) with examples and all.


Regards
Jesper Wallin


On Wed, Jan 22, 2020 at 10:42:01PM -0700, myml...@gmx.com wrote:

Hi,

I'm just wondering if there is a way to rate limit icmp echo request.
i.e. pings.

I tried the following rule but it errors out with "syntax error"

pass in quick on em1 inet proto icmp from 192.168.0.23  to 192.168.1.2
icmp-type  echoreq (max-src-conn-rate 1/2, overload  flush)

I'm trying to avoid even standard pings and especially "ping -f".

Additionally, I was wondering if there would be a way to block icmp
that's over a certain size.  "ping -s".


Thanks in advance!!!




Awesome, that worked great!

Thanks much!

Re: rate limit echo request

2020-01-23 Thread Stuart Henderson 
On 2020-01-23, myml...@gmx.com  wrote:
> Hi,
>
> I'm just wondering if there is a way to rate limit icmp echo request.
> i.e. pings.
>
> I tried the following rule but it errors out with "syntax error"
>
> pass in quick on em1 inet proto icmp from 192.168.0.23  to 192.168.1.2
> icmp-type  echoreq (max-src-conn-rate 1/2, overload  flush)

See Jesper's reply for this.

> I'm trying to avoid even standard pings and especially "ping -f".
>
> Additionally, I was wondering if there would be a way to block icmp
> that's over a certain size.  "ping -s".

Not in PF, but see "fildrop" in tcpdump(8).

Re: rate limit echo request

2020-01-23 Thread Jesper Wallin 
Hi,

Use the max-pkt-rate parameter instead.  It does exactly what you think
it does and is thoroughly covered in pf.conf(5) with examples and all.


Regards
Jesper Wallin


On Wed, Jan 22, 2020 at 10:42:01PM -0700, myml...@gmx.com wrote:
> Hi,
> 
> I'm just wondering if there is a way to rate limit icmp echo request.
> i.e. pings.
> 
> I tried the following rule but it errors out with "syntax error"
> 
> pass in quick on em1 inet proto icmp from 192.168.0.23  to 192.168.1.2
> icmp-type  echoreq (max-src-conn-rate 1/2, overload  flush)
> 
> I'm trying to avoid even standard pings and especially "ping -f".
> 
> Additionally, I was wondering if there would be a way to block icmp
> that's over a certain size.  "ping -s".
> 
> 
> Thanks in advance!!!
>

Re: rate limit echo request

2020-01-22 Thread myml...@gmx.com 



On 1/22/20 10:42 PM, myml...@gmx.com wrote:

Hi,

I'm just wondering if there is a way to rate limit icmp echo request.
i.e. pings.

I tried the following rule but it errors out with "syntax error"

pass in quick on em1 inet proto icmp from 192.168.0.23  to 192.168.1.2
icmp-type  echoreq (max-src-conn-rate 1/2, overload 
flush)

I'm trying to avoid even standard pings and especially "ping -f".

Additionally, I was wondering if there would be a way to block icmp
that's over a certain size.  "ping -s".


Thanks in advance!!!



Sorry,

This is fresh install of snapshot from 10/17 on amd64

OpenBSD 6.6-current (GENERIC.MP) #613: Thu Jan 16 13:52:56 MST 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8487612416 (8094MB)
avail mem = 8217923584 (7837MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x8d318000 (86 entries)
bios0: vendor American Megatrends Inc. version "5.12" date 07/08/2019
bios0: Protectli FW6
acpi0 at bios0: ACPI 6.1
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT MCFG SSDT FIDT SSDT HPET SSDT SSDT
UEFI SSDT LPIT WSMT SSDT SSDT SSDT SSDT DBGP DBG2 DMAR ASF!
acpi0: wakeup devices PS2K(S0) PS2M(S0) RP09(S0) PXSX(S0) RP10(S0)
PXSX(S0) RP11(S0) PXSX(S0) RP12(S0) PXSX(S0) RP13(S0) PXSX(S0) RP01(S0)
PXSX(S0) RP02(S0) PXSX(S0) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2395.20 MHz, 06-8e-09
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 2394.43 MHz, 06-8e-09
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 2399 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus -1 (RP09)
acpiprt5 at acpi0: bus -1 (RP10)
acpiprt6 at acpi0: bus -1 (RP11)
acpiprt7 at acpi0: bus -1 (RP12)
acpiprt8 at acpi0: bus -1 (RP13)
acpiprt9 at acpi0: bus 1 (RP01)
acpiprt10 at acpi0: bus 2 (RP02)
acpiprt11 at acpi0: bus 3 (RP03)
acpiprt12 at acpi0: bus 4 (RP04)
acpiprt13 at acpi0: bus 5 (RP05)

rate limit echo request

2020-01-22 Thread myml...@gmx.com 

Hi,

I'm just wondering if there is a way to rate limit icmp echo request.
i.e. pings.

I tried the following rule but it errors out with "syntax error"

pass in quick on em1 inet proto icmp from 192.168.0.23  to 192.168.1.2
icmp-type  echoreq (max-src-conn-rate 1/2, overload  flush)

I'm trying to avoid even standard pings and especially "ping -f".

Additionally, I was wondering if there would be a way to block icmp
that's over a certain size.  "ping -s".


Thanks in advance!!!