From owner-freebsd-isp@FreeBSD.ORG Tue Feb 12 17:41:54 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9EFBB69D for ; Tue, 12 Feb 2013 17:41:54 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp196.dfw.emailsrvr.com (smtp196.dfw.emailsrvr.com [67.192.241.196]) by mx1.freebsd.org (Postfix) with ESMTP id 60C10633 for ; Tue, 12 Feb 2013 17:41:53 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp9.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 293433C0E72; Tue, 12 Feb 2013 12:34:35 -0500 (EST) X-Virus-Scanned: OK Received: by smtp9.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id 703433C0DE4; Tue, 12 Feb 2013 12:34:26 -0500 (EST) Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <511A733E.3000208@yahoo.de> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: <511A733E.3000208@yahoo.de> Message-Id: <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Tue, 12 Feb 2013 11:34:21 -0600 To: Norbert Aschendorff X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Tue, 12 Feb 2013 17:34:24 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-isp@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 17:41:54 -0000 As my response stated filter ICMP except where necessary. I can state coming= from a mitigation background that there are ways to safely do it without ca= using any issues. However, yes, you can still filter ICMP and remain complia= nt with an example pf rule like: icmp_types =3D "{ echoreq, unreach }" But in real life situations under constant attacks, blocking ICMP can be a l= arge part of keeping businesses online. If everything was standard and attackers followed the packet/traffic specifi= cations then going by the standard would be no problem. That's not the case a= nd sometimes guidelines have to be situational. -Kevin On Feb 12, 2013, at 10:54 AM, "Norbert Aschendorff" wrote: > In fact, it's specified in RFC1122: >=20 >=20 > 3.2.2.6 Echo Request/Reply: RFC-792 >=20 > Every host MUST implement an ICMP Echo server function that > receives Echo Requests and sends corresponding Echo Replies. >=20 > I think it implies that the implementation should actually work. :) >=20 > --Norbert > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"