|
||||||||
On Sat, 26 Mar 2005 12:23:19 -0500, Bryan Marc Schaubach <omschaub at gmail dot com> wrote: > > > > This is not packet loss but freebsd shaping the icmp responses to be > > able to let other requests pass as they should > > But this behavior on the LAN side results in the local machine loosing > packets... No it doesn't. This is only ICMP connections to m0n0wall itself. It has nothing to do with TCP, UDP or even ICMP or anything else that passes through it. > If your ISP and your computer can > handle/generate these requests in accordance with safe specs, then why > does FreeBSD reject this as a DoS attack.. is it not checking for > validity of this sort of behavior? Of course this is just IMO.. > You don't know what you're talking about. Limiting how many ICMP messages your firewall will send has absolutely nothing to do with how much traffic it'll pass. To prove this, if you throw a box outside of m0n0wall and run that same ping test from LAN to WAN, I bet you won't lose packets. Out of curiousity, I will try Azureus later and see what happens. I'm still betting on IPFilter being overzealous on cutting off state on connections. I *very* seriously doubt if it's going to lose 10,000 packets though (unless you're talking about a period of several days, then it *might* be feasible). -Chris |