Date: Sun, 10 Feb 2013 14:48:08 +0200 From: Janne Snabb <snabb@epipe.com> To: khatfield@socllc.net Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, James Howlett <jim.howlett@outlook.com> Subject: Re: FreeBSD DDoS protection Message-ID: <51179708.2030206@epipe.com> In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl> <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2013-02-10 03:57, khatfield@socllc.net wrote: > Deny all ICMP (drop I mean) and UDP except where specifically required. Please do not drop all ICMP unless you understand what you are doing. By doing that you are creating a path MTU discovery blackhole. See for example the following sites for more information: http://www.phildev.net/mss/ https://supportforums.cisco.com/docs/DOC-5839 http://www.cymru.com/Documents/icmp-messages.html http://packetlife.net/blog/2008/oct/09/disabling-unreachables-breaks-pmtud/ -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51179708.2030206>