Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiting ICMP pings

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jits
      last edited by

      Hi Guys,

      Is there a way to limit ICMP pings to a certain amount per minute?

      I suspect it would be administered under the 'Advanced' button in the firewall rule, but how to construct it?

      Thanks,
      Jits

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Not in that way, no. A ping would create a state and all pings sent from the same source to the same destination would be counted in that same state and not tracked by those options.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          jits
          last edited by

          ok, well what can be done to mitigate icmp floods or attacks?

          How can I tell pfsense to reply to 50 pings per minute and drop the rest?

          1 Reply Last reply Reply Quote 0
          • S
            senser
            last edited by

            net.inet.icmp.icmplim in advanced tunables is probably close to what you are looking for. it is enabled by default I think and set to 300, so you should be fine.

            We use the mighty pf, we cannot be fooled.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              @senser:

              net.inet.icmp.icmplim in advanced tunables is probably close to what you are looking for. it is enabled by default I think and set to 300, so you should be fine.

              That limits the number of ICMP responses from the firewall itself, and is specified in packets per second. That wouldn't have any effect on pings sent from clients to WAN, or (if applicable) from WAN to LAN.

              @jits:

              ok, well what can be done to mitigate icmp floods or attacks?

              How can I tell pfsense to reply to 50 pings per minute and drop the rest?

              50 pings per minute (less than one per second) is nowhere near a flood. There isn't a way to set a limit that would be that low.

              Using a limiter could stop it from consuming a lot of bandwidth but it still wouldn't give an X packets per minute rate limit

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.