CARP, ARP , Other? CARP = RFC
This is my first post, so hello everybody!
I would like to ask a few questions on this matter and share some findings that might be of interest.
Requirements for Internet Hosts - RFC 1122 - states clearly that you must respond to pings:
Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.
A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for
The IP source address in an ICMP Echo Reply MUST be the same as the specific-destination address (defined in Section 184.108.40.206) of the corresponding ICMP Echo Request message.
So how does this affect me if I don't use CARP VIP?
One possible problem here is that you might be slowed down as there are web services that use the icmp response to adjust their connection speed.
Some personal/software firewalls block icmp reply by default (ex windows xp, norton …), so check yours in case...
Other obvious problems would come up with many services (vpn, dhcp, smtp ...) if your users face the web without it.
On the other side there are people saying that not responding to icmp requests will protect you from attacks like D.O.S. and icmp flood and others say it is not true.
While this debate is of no interest a question arises; how does pfsense deal with this? The answer seems traffic shaper.
And now the real question:
- the default settings weight icmp as a default priority, should I make this lower priority when running for example web servers?
- furthermore it seems that this setting translates to 25%, does this mean a flood will consume 25% cpu power?
- will a carp virtual ip be protected by traffic shaper?
- would it be a better usage of system resources if I would use SNORT to handle the situation?
Although the answers might be obvious to some, while the majority don't really have to bother about this stuff, it would be nice to hear an expert answer on this subject.