Date: Tue, 12 Feb 2013 18:46:26 +0100 From: Fleuriot Damien <ml@my.gd> To: khatfield@socllc.net Cc: Norbert Aschendorff <norbert.aschendorff@yahoo.de>, "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org> Subject: Re: FreeBSD DDoS protection Message-ID: <79C9AC81-7937-4C2D-8514-51CAEAF314E7@my.gd> In-Reply-To: <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl> <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <op.wsehxssd34t2sn@tech304.office.supranet.net> <511A733E.3000208@yahoo.de> <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 12, 2013, at 6:34 PM, khatfield@socllc.net wrote:
> As my response stated filter ICMP except where necessary. I can state =
coming from a mitigation background that there are ways to safely do it =
without causing any issues. However, yes, you can still filter ICMP and =
remain compliant with an example pf rule like:
> icmp_types =3D "{ echoreq, unreach }"
>=20
breaks traceroute :(
> But in real life situations under constant attacks, blocking ICMP can =
be a large part of keeping businesses online.
>=20
YMMV but I'd advise rate limiting instead of plain blocking.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?79C9AC81-7937-4C2D-8514-51CAEAF314E7>