Limiting ICMP pings



  • Hi Guys,

    Is there a way to limit ICMP pings to a certain amount per minute?

    I suspect it would be administered under the 'Advanced' button in the firewall rule, but how to construct it?

    Thanks,
    Jits


  • Rebel Alliance Developer Netgate

    Not in that way, no. A ping would create a state and all pings sent from the same source to the same destination would be counted in that same state and not tracked by those options.



  • ok, well what can be done to mitigate icmp floods or attacks?

    How can I tell pfsense to reply to 50 pings per minute and drop the rest?



  • net.inet.icmp.icmplim in advanced tunables is probably close to what you are looking for. it is enabled by default I think and set to 300, so you should be fine.


  • Rebel Alliance Developer Netgate

    @senser:

    net.inet.icmp.icmplim in advanced tunables is probably close to what you are looking for. it is enabled by default I think and set to 300, so you should be fine.

    That limits the number of ICMP responses from the firewall itself, and is specified in packets per second. That wouldn't have any effect on pings sent from clients to WAN, or (if applicable) from WAN to LAN.

    @jits:

    ok, well what can be done to mitigate icmp floods or attacks?

    How can I tell pfsense to reply to 50 pings per minute and drop the rest?

    50 pings per minute (less than one per second) is nowhere near a flood. There isn't a way to set a limit that would be that low.

    Using a limiter could stop it from consuming a lot of bandwidth but it still wouldn't give an X packets per minute rate limit


Log in to reply