Date: Wed, 13 Feb 2013 01:52:29 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Mark Felder <feld@feld.me> Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett <jim.howlett@outlook.com>, Janne Snabb <snabb@epipe.com>, khatfield@socllc.net Subject: Re: FreeBSD DDoS protection Message-ID: <86zjz9f31u.fsf@ds4.des.no> In-Reply-To: <op.wsehxssd34t2sn@tech304.office.supranet.net> (Mark Felder's message of "Tue, 12 Feb 2013 10:11:42 -0600") References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl> <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <op.wsehxssd34t2sn@tech304.office.supranet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Felder <feld@feld.me> writes: > Dropping ICMP is not a security method. Please stop doing this! Slight correction: dropping *all* ICMP is a bad idea. You can get by with just unreach. Add timex, echoreq and echorep for troubleshooting. For IPv6, you want unreach, toobig, neighbrsol and neighbradv. Add timex, echoreq and echorep for troubleshooting, and routersol and routeradv on networks that use SLAAC. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86zjz9f31u.fsf>