From owner-freebsd-security@FreeBSD.ORG Sun Feb 10 19:57:18 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 83FCE34F for ; Sun, 10 Feb 2013 19:57:18 +0000 (UTC) (envelope-from cboyd@gizmopartners.com) Received: from mailsafe.midasnetworks.com (mailsafe.midasnetworks.com [208.81.240.84]) by mx1.freebsd.org (Postfix) with ESMTP id 3E133F3C for ; Sun, 10 Feb 2013 19:57:17 +0000 (UTC) Received: from [192.168.12.103] (cpe-70-113-21-2.austin.res.rr.com [70.113.21.2]) (authenticated bits=0) by mailsafe.midasnetworks.com (8.14.3/8.14.3) with ESMTP id r1AJijvd023311 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for ; Sun, 10 Feb 2013 13:44:50 -0600 (CST) (envelope-from cboyd@gizmopartners.com) Message-ID: <1360525485.9680.9.camel@hounddog> Subject: Re: FreeBSD DDoS protection From: Chris Boyd To: freebsd-security@freebsd.org Date: Sun, 10 Feb 2013 13:44:45 -0600 In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> Organization: Wha? Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3-0ubuntu6 Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2013 19:57:18 -0000 On Sat, 2013-02-09 at 19:57 -0600, khatfield@socllc.net wrote: > > Deny all ICMP (drop I mean) Please DON'T do this. ICMP is a required part of the TCP/IP suite. It breaks Path MTU discovery, leading to oddball issues where some sites can't load graphics, some file transfers break, etc. It makes troubleshooting using traceroute not work. If you don't want to get pinged, then drop echo request/reply. But those are really pretty harmless. --Chris