Re: icmp packets - disabling via sysctl, or cisco switch ... ?
Bill Moran wrote: User Freebsd wrote: Two part question here ... first part ... is there a way of just disabling icmp by setting a sysctl, so that a server just doesn't respond to them? second part ... is there a way of telling a cisco switch to drop all icmp packets, preferrably to all but an exception list, but to everywhere works as well ... Sure, just uninstall TCP/IP. ICMP isn't needed unless you're using TCP/IP. :-) I was going to express the same idea a bit more politely... Try running "tcpdump -nt icmp" and paying attention to what is going on; blocking all ICMP traffic on an internet router will completely break PMTU discovery and cause hatred and discontent for normal TCP/IP operations, too. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: icmp packets - disabling via sysctl, or cisco switch ... ?
User Freebsd wrote: Two part question here ... first part ... is there a way of just disabling icmp by setting a sysctl, so that a server just doesn't respond to them? second part ... is there a way of telling a cisco switch to drop all icmp packets, preferrably to all but an exception list, but to everywhere works as well ... Sure, just uninstall TCP/IP. ICMP isn't needed unless you're using TCP/IP. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: icmp packets - disabling via sysctl, or cisco switch ... ?
On Friday 28 July 2006 06:26, User Freebsd wrote: > Just an appendum, but this is what I'm seeing in /var/log/messages right > now: > > Jul 28 00:22:37 io kernel: Limiting icmp unreach response from 6255 to 200 > packets/sec Jul 28 00:22:38 io kernel: Limiting icmp unreach response from > 6515 to 200 packets/sec Jul 28 00:22:39 io kernel: Limiting icmp unreach > response from 6646 to 200 packets/sec ^C > > And its been going on for several hours now ... :( Yes it is just FreeBSD behaving cleverly and limiting the number of ICMP replies. These two sysctls are of interest: net.inet.icmp.icmplim: Maximum number of ICMP responses per second net.inet.icmp.icmplim_output: Enable rate limiting of ICMP responses Somebody is probably flood pinging your server. You can do several things. 1) block particular (addresses|proto) from your upstream router. This way "bad" traffic will not reach your box. 2) block particular (addresses|proto) from your box. This way the "attacker" will not know if your box is up and running. Not much gain, since traffic will load your box anyway. Limit the number of ICMP replies to 5 or 10 per second. Won't help at all with your situation, but it is a good value for normal use. HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: icmp packets - disabling via sysctl, or cisco switch ... ?
On Friday 28 July 2006 06:15, User Freebsd wrote: > Two part question here ... > > first part ... is there a way of just disabling icmp by setting a sysctl, > so that a server just doesn't respond to them? No. You can do this using the firewall of your choice ipfw example ipfw add deny icmp from any to any ipfw add allow ip from any to any (not much intelligence in these rules, but this is what you asked for) keep in my mind that ipfw blocks everything by default (**you will be locked out of the box**) so do this locally or follow the instructions in the manual on how to load the ipfw kernel module. There are some things you can do with sysctls and ICMP: [EMAIL PROTECTED]:0:~# sysctl -d net.inet.icmp net.inet.icmp: ICMP net.inet.icmp.maskrepl: Reply to ICMP Address Mask Request packets. net.inet.icmp.stats: net.inet.icmp.icmplim: Maximum number of ICMP responses per second net.inet.icmp.maskfake: Fake reply to ICMP Address Mask Request packets. net.inet.icmp.drop_redirect: Ignore ICMP redirects net.inet.icmp.log_redirect: Log ICMP redirects to the console net.inet.icmp.icmplim_output: Enable rate limiting of ICMP responses net.inet.icmp.reply_src: icmp reply source for non-local packets. net.inet.icmp.reply_from_interface: ICMP reply from incoming interface for non-local packets net.inet.icmp.quotelen: Number of bytes from original packet to quote in ICMP reply net.inet.icmp.bmcastecho: ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: icmp packets - disabling via sysctl, or cisco switch ... ?
Just an appendum, but this is what I'm seeing in /var/log/messages right now: Jul 28 00:22:37 io kernel: Limiting icmp unreach response from 6255 to 200 packets/sec Jul 28 00:22:38 io kernel: Limiting icmp unreach response from 6515 to 200 packets/sec Jul 28 00:22:39 io kernel: Limiting icmp unreach response from 6646 to 200 packets/sec ^C And its been going on for several hours now ... :( On Fri, 28 Jul 2006, User Freebsd wrote: Two part question here ... first part ... is there a way of just disabling icmp by setting a sysctl, so that a server just doesn't respond to them? second part ... is there a way of telling a cisco switch to drop all icmp packets, preferrably to all but an exception list, but to everywhere works as well ... I'm running a Cisco 2950-24 ... thanks ... Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . [EMAIL PROTECTED] MSN . [EMAIL PROTECTED] Yahoo . yscrappy Skype: hub.orgICQ . 7615664 Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . [EMAIL PROTECTED] MSN . [EMAIL PROTECTED] Yahoo . yscrappy Skype: hub.orgICQ . 7615664 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
icmp packets - disabling via sysctl, or cisco switch ... ?
Two part question here ... first part ... is there a way of just disabling icmp by setting a sysctl, so that a server just doesn't respond to them? second part ... is there a way of telling a cisco switch to drop all icmp packets, preferrably to all but an exception list, but to everywhere works as well ... I'm running a Cisco 2950-24 ... thanks ... Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . [EMAIL PROTECTED] MSN . [EMAIL PROTECTED] Yahoo . yscrappy Skype: hub.orgICQ . 7615664 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"