Date: Tue, 12 Feb 2013 11:34:21 -0600 From: khatfield@socllc.net To: Norbert Aschendorff <norbert.aschendorff@yahoo.de> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org> Subject: Re: FreeBSD DDoS protection Message-ID: <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> In-Reply-To: <511A733E.3000208@yahoo.de> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl> <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <op.wsehxssd34t2sn@tech304.office.supranet.net> <511A733E.3000208@yahoo.de>
next in thread | previous in thread | raw e-mail | index | archive | help
As my response stated filter ICMP except where necessary. I can state coming=
from a mitigation background that there are ways to safely do it without ca=
using any issues. However, yes, you can still filter ICMP and remain complia=
nt with an example pf rule like:
icmp_types =3D "{ echoreq, unreach }"
But in real life situations under constant attacks, blocking ICMP can be a l=
arge part of keeping businesses online.
If everything was standard and attackers followed the packet/traffic specifi=
cations then going by the standard would be no problem. That's not the case a=
nd sometimes guidelines have to be situational.
-Kevin
On Feb 12, 2013, at 10:54 AM, "Norbert Aschendorff" <norbert.aschendorff@yah=
oo.de> wrote:
> In fact, it's specified in RFC1122:
>=20
>=20
> 3.2.2.6 Echo Request/Reply: RFC-792
>=20
> Every host MUST implement an ICMP Echo server function that
> receives Echo Requests and sends corresponding Echo Replies.
>=20
> I think it implies that the implementation should actually work. :)
>=20
> --Norbert
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?875329286.93002.1360690465766>