Re: [m0n0wall] Why I left M0N0Wall

From:	Bryan Marc Schaubach <omschaub at gmail dot com>
To:	Rasmus Fauske <rasmus at postboks dot org>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Why I left M0N0Wall
Date:	Sat, 26 Mar 2005 12:23:19 -0500

> This is not packet loss but freebsd shaping the icmp responses to be
> able to let other requests pass as they should


But this behavior on the LAN side results in the local machine loosing
packets... several programs I have used are experiencing this.. I have a
good 5mbit connection and just downloading a lot from the news servers
results in threads giving out because of this 'feature.'  It is one
thing to limit from the WAN side as to prevent a DoS attack.. it is
quite another to limit from the LAN side as to not allow a high threaded
program to get it's requests through.  If your ISP and your computer can
handle/generate these requests in accordance with safe specs, then why
does FreeBSD reject this as a DoS attack.. is it not checking for
validity of this sort of behavior?  Of course this is just IMO..


> Limiting icmp ping response from 235 to 200 packets/sec
> Limiting icmp ping response from 236 to 200 packets/sec
> Limiting icmp ping response from 236 to 200 packets/sec
> Limiting icmp ping response from 236 to 200 packets/sec
>
> As you can see this is a standard freebsd message when under DoS attac
> or something like that. (type dmesg in /exec.php to get the logs of this)
>
> -- 
> Rasmus Fauske
>