On Tue, Nov 18, 2008 at 10:36:48AM -0800, [EMAIL PROTECTED] wrote:
> Today I was shocked when I found, what PF doesn't support filtering by
> packets size and can't answer by admin-generated icmp code (for
> example, by icmp code 1 "admin. prohibited"). And don't tell me that
> it is useless.
> Packets size: We already had users attacks, then huge count of full-
> sized icmp-packets (echoreq) brings our network/servers down. In IPFW
> filter we might avoid it by just one simple rule - "$ipfw add 123 deny
> icmp from any to any iplen 500-1500 in". In PF we could have almost
> nothing -"max-conn-rate" works only with TCP.
I'm pretty sure this is useless enough that it doesn't justify the code
bloat.
Typically the performance costs of packet handling depends more on the
number of packets, not the size of the packets. So a smart attacker will
send many small packets rather than fewer, bigger packets anyways.
Of course if you're concerned about your upstream bandwidth being
consumed, whether you drop it on the firewall or not makes little
difference.
My personal suggestion would be to decide how much ICMP traffic you're
willing to handle, and rate-limit it with altq rather than trying to
sent arbitrary packet size limits, which may have unintended side
effects.
> Admin-generated icmp codes: With IPFW we could return icmp code 1 then
> user tried to connect to closed ports (especially with SMTP port for
> spammers) . With PF we could block only by silent drop, or ICMP
> unreachable. It's not enough.
1) It's not clear to me why you don't want it to return the default ICMP
unreachable/port unreachable. But sure, suit yourself.
2) This feature has existed in PF from the beginning. See pf.conf(5):
return-icmp
return-icmp6
This causes ICMP messages to be returned for packets which
match the rule. By default this is an ICMP UNREACHABLE mes-
sage, however this can be overridden by specifying a message
as a code or number.
and
return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
"return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
"return-icmp6" [ "(" icmp6code ")" ]
i.e. 'block return-icmp ( host-prohib ) in'
For example:
block return-icmp ( host-prohib ) in
> P.S. By the way, no chance to shaping like ipfw(dummynet), by getting
> mask for all ip addresses? It's the last reason to stay with ipfw:
No, there is nothing like this in PF right now. It's on my list of
things to look at, but that list grows faster than I can get things
done...
-Ryan
