1. L

    PF How to rate limit ping?

    I could use some help with a pf firewall I can't get to work. For some reason, ping/icmp won't get blocked by overload. This works for ssh connections: table <bruteforce> persist block drop in log quick on $ext_if inet proto tcp from <bruteforce> port 22 pass in log on $ext_if inet proto tcp to...
  2. A

    IPFW Filtering ICMP with ipfw Q: icmptype AND code?

    I know I can have ipfw rules matching the ICMP protocol and specify one or more icmptypes. But how do I also match on the ICMP type's code (those that have such)? For example I can easily match ICMP type 3 (destination unreachable) messages: ipfw add 1000 count log icmp from me to...
  3. Dave12

    FreeBSD 11.1 - Only 1 ICMP redirect (frag needed) packet returned

    So we've got an issue that's been perplexing us. We're using a FreeBSD box as a router, with 1 NIC set to a low MTU (VPN reasons) and another NIC set to a normal MTU. NIC 1 is the route out to to the internet + IPSec interface - MTU = 1350 NIC 2 is the route into our network - MTU = 1500...
  4. Lamia

    Solved ICMP commands fails until Pf is reloaded

    On starting my PC, I could not get the icmp commands (ping, etc) to work. Needless to say services like email don't work but not web servers, which surprisingly work. Webpages are accessible. I always have to run "service pf reload" but email server and icmp commands would work. Below is my pf...
  5. P

    PF I have issues with the pf.conf being loaded

    I am new to Linux/BSD. I am using a Debian system with a KFreeBSD kernel. Whenever I try to initiate PF with the pf.conf as below, it gives the error as in the image. My pf.conf is, pass inet proto icmp from any to any pass log (all) proto icmp from any to any altq on le0 cbq bandwidth 500Kb...
  6. FKEinternet

    Solved ipfw vs. ping puzzle

    My servers Dreamer and Wren each have two interfaces, connected to two routers. The re0 interfaces are connected to the 192.168.14.* subnet, and the re1 interfaces are connected to the 192.168.1.* subnet. The 192.168.1.* subnet originates at a Verizon router, which is also upstream from an...
  7. sidetone

    Other ICMP types and portscans

    I don't fully understand ICMP. Some Internet servers, as I've read, can function perfectly with ICMP completely blocked, but I don't necessarily want to block them all in my firewall. Which ICMP types can be completely blocked (from any direction) to mitigate portscans? Would blocking all ICMP...