[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Speed controll on outgoing ICMP packets





On Thu, 22 Jun 2000, Andi Kleen wrote:

> It is a totally broken solution when you filter all ICMP packets 
> (especially DEST_UNREACHABLE/fragmentation needed). It makes you lose 
> service to all hosts that are on MTUs < your MTU because it breaks
> path mtu discovery. MTUs < Ethernet MTU are pretty common with VPNs. 
> 
> Filtering other dest unreachable packet usually causes more traffic.
> For example when you run a mail server and the remote server tries to 
> query firewalled ident it'll never see the port unreachable and transmit lots
> of useless SYNs.
> 
> Some ICMP packets can be safely filtered, but they are few. A lot of them
> serve useful purposes and blocking them makes service on your line worse.
> 

I totaly agree with Andi. I can only think of Echo/replies as being a good
thing to rate filter mostly because of smurf attacks etc.

To the original poster: You can do ingress filtering on the router (Werner
pointed it but you might have missed it). 
I cant remember if ipchains/netfilter can classify on selected ICMP
sub-types but definetely you can use u32 + ingress qdisc to achieve what
you want. Look at the example directory for SYN packet limiter example
(and just replace the ipchains usage with u32).

cheers,
jamal