Jump to content
Калькуляторы

Limiting icmp unreach response from Как бороться?

Nov 3 01:02:24 gate kernel: Limiting icmp unreach response from 362 to 200 packets/sec

Nov 3 01:02:25 gate kernel: Limiting icmp unreach response from 386 to 200 packets/sec

Nov 3 01:02:26 gate kernel: Limiting icmp unreach response from 405 to 200 packets/sec

Nov 3 01:02:27 gate kernel: Limiting icmp unreach response from 392 to 200 packets/sec

Nov 3 01:02:28 gate kernel: Limiting icmp unreach response from 394 to 200 packets/sec

Nov 3 01:02:29 gate kernel: Limiting icmp unreach response from 364 to 200 packets/sec

Nov 3 01:02:30 gate kernel: Limiting icmp unreach response from 361 to 200 packets/sec

 

При таких сообщениях, терялась связь с роутером.

Явный icmp флуд. Какие способы борьбы? Система FreeBSD, пока установил:

 

00002 1 144 reject log logamount 10 tcp from any to any not established tcpflags fin

00003 3480 758352 deny log logamount 10 ip from any to any not verrevpath in

00004 187 11980 allow icmp from any to any out icmptypes 8

00005 22 1848 allow icmp from any to any in icmptypes 0

00006 68251 7930332 deny icmp from any to any in icmptypes 8

00040 24951 1707163 allow icmp from any 1.1.1.1 in via rl0 icmptypes 0,8,11 limit src-addr 2

где 1.1.1.1 внешний ИП адрес, rl0 внешний интерфейс.

 

в syctl.conf (применил через sysctl -w):

net.inet.tcp.blackhole=1

net.inet.udp.blackhole=1

 

Но это уж слижком координально, так как заблокировал всё что только можно...

Как более лояльно настроить?

 

Share this post


Link to post
Share on other sites

sysctl net.inet.icmp.icmplim=1000 ? :)

Можно ещё ограничить icmp по размерам пакетов.

Edited by Dyr

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this