Date: Tue, 18 Jan 2000 11:41:02 -0600 (CST) From: James Wyatt <jwyatt@rwsystems.net> To: Jonathan Fortin <jonf@revelex.com> Cc: freebsd-security@freebsd.org Subject: Re: TCP/IP Message-ID: <Pine.BSF.4.10.10001181136580.42481-100000@bsdie.rwsystems.net> In-Reply-To: <002801bf61de$b2663560$0900000a@server>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 18 Jan 2000, Jonathan Fortin wrote: > I noticed that most of the firewalls out there don't cover protection e.g, on a denial of service attack, it should ignore the whole protocol > but only allow packets with 3k in lenght. etc. The only real DoS 'thing' I've noticed is the ICMP_BANDLIM to limit icmp error responses, which works fairly well. Most of the DoS stuff, IMHO, should be done at the router, and the one on the input-end of the link if you can. This protects the link as well as the host. Amplifiers can really overwhelm a link... Of course, if you are using FreeBSD as your router, this becomes very implrtant on the host again, right Dennis? I would *love* to hear what others have done besides the usual ipfw rules. Thanks - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10001181136580.42481-100000>