[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Why I left M0N0Wall
 Date:  Sat, 26 Mar 2005 13:19:47 -0500
On Sat, 26 Mar 2005 12:23:19 -0500, Bryan Marc Schaubach
<omschaub at gmail dot com> wrote:
> > This is not packet loss but freebsd shaping the icmp responses to be
> > able to let other requests pass as they should
> But this behavior on the LAN side results in the local machine loosing
> packets... 

No it doesn't.  This is only ICMP connections to m0n0wall itself.  It
has nothing to do with TCP, UDP or even ICMP or anything else that
passes through it.

> If your ISP and your computer can
> handle/generate these requests in accordance with safe specs, then why
> does FreeBSD reject this as a DoS attack.. is it not checking for
> validity of this sort of behavior?  Of course this is just IMO..

You don't know what you're talking about.  Limiting how many ICMP
messages your firewall will send has absolutely nothing to do with how
much traffic it'll pass.  To prove this, if you throw a box outside of
m0n0wall and run that same ping test from LAN to WAN, I bet you won't
lose packets.

Out of curiousity, I will try Azureus later and see what happens.  I'm
still betting on IPFilter being overzealous on cutting off state on
connections.  I *very* seriously doubt if it's going to lose 10,000
packets though (unless you're talking about a period of several days,
then it *might* be feasible).