Trying to protect our network from ICMP-based attacks, I added the
following rules to the firewall:
pipe 1 config bw 64Kbit/s
add pipe 1 log icmp from any to any in via OIF
add allow icmp from any to any
(OIF is the Outside InterFace)
The assumption is, there is not going to be _much_ of ICMP traffic, so
if it ever needs more than 64Kbit/s, it is an attack...
This seems to work, but when I try to ping something outised the
network, the ping time is around 10 msec. Without the above piping, it
is around 0.5 msec. It is the bandwidth, that I'm trying to limit, not
the minimum latency!
Even more bizarre is that the ping times are _higher_ when pings
originate from the firewall itself, compared to those, that originate
from inside the firewalled network...
What am I doing wrong? Thanks!
-mi
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
