[EMAIL PROTECTED] wrote: > > Trying to protect our network from ICMP-based attacks, I added the > following rules to the firewall: > > pipe 1 config bw 64Kbit/s > add pipe 1 log icmp from any to any in via OIF > add allow icmp from any to any > > (OIF is the Outside InterFace) > > The assumption is, there is not going to be _much_ of ICMP traffic, so > if it ever needs more than 64Kbit/s, it is an attack... > > This seems to work, but when I try to ping something outised the > network, the ping time is around 10 msec. Without the above piping, it > is around 0.5 msec. It is the bandwidth, that I'm trying to limit, not > the minimum latency! the pipe facility is using the kernel clock, which has a default frequency of 100 Hz (thus the 10ms latency). the ipfw man page suggests : "it is a good practice to run kernels with ``options HZ=1000'' to reduce the granularity to 1ms or less" (HZ=1000 should work with computers as slow as pentium-75, I'm using HZ=5000 with P-III/450MHz) PS : the HZ option is not documented in the LINT kernel config as it should be > > Even more bizarre is that the ping times are _higher_ when pings > originate from the firewall itself, compared to those, that originate > from inside the firewalled network... USTL > > What am I doing wrong? Thanks! > > -mi > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message -- Thierry Herbelot To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
