[ previous ] [ next ] [ threads ]
 From:  "C. Falconer" <cfalconer at avonside dot school dot nz>
 To:  'Chris Buechler' <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Why I left M0N0Wall
 Date:  Wed, 30 Mar 2005 09:50:22 +1200
Pings from two internal machines...

caffeine:~# ping -c 100 -f www.avonside.school.nz
PING www.avonside.school.nz ( 56 data bytes
--- www.avonside.school.nz ping statistics ---
189 packets transmitted, 100 packets received, 47% packet loss
round-trip min/avg/max = 31.3/249.1/429.1 ms

Caffeine is running bittorrent for the Project Gutenberg DVD ISO, and is
currently sending about 16 kbytes/sec

horse:~# ping -c 1000 -f www.avonside.school.nz
PING www.avonside.school.nz ( 56(84) bytes of data.
--- www.avonside.school.nz ping statistics ---
1000 packets transmitted, 996 received, 1% packet loss, time 183384ms
rtt min/avg/max/mdev = 19.583/236.749/1040.459/212.937 ms, pipe 46, ipg/ewma
183.567/74.273 ms

Horse is quite unloaded...  No bittorrent or downloads. It is on a separate
port to caffeine, and as you can see has basically lost no packets.

-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Sunday, 27 March 2005 6:20 a.m.
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Why I left M0N0Wall

On Sat, 26 Mar 2005 12:23:19 -0500, Bryan Marc Schaubach
<omschaub at gmail dot com> wrote:
> > This is not packet loss but freebsd shaping the icmp responses to be 
> > able to let other requests pass as they should
> But this behavior on the LAN side results in the local machine loosing 
> packets...

No it doesn't.  This is only ICMP connections to m0n0wall itself.  It has
nothing to do with TCP, UDP or even ICMP or anything else that passes
through it.

> If your ISP and your computer can
> handle/generate these requests in accordance with safe specs, then why 
> does FreeBSD reject this as a DoS attack.. is it not checking for 
> validity of this sort of behavior?  Of course this is just IMO..

You don't know what you're talking about.  Limiting how many ICMP messages
your firewall will send has absolutely nothing to do with how much traffic
it'll pass.  To prove this, if you throw a box outside of m0n0wall and run
that same ping test from LAN to WAN, I bet you won't lose packets.

Out of curiousity, I will try Azureus later and see what happens.  I'm still
betting on IPFilter being overzealous on cutting off state on connections.
I *very* seriously doubt if it's going to lose 10,000 packets though (unless
you're talking about a period of several days, then it *might* be feasible).


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch