Date: Wed, 13 Feb 2013 18:04:33 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> Cc: Janne Snabb <snabb@epipe.com>, khatfield@socllc.net, Mark Felder <feld@feld.me>, freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett <jim.howlett@outlook.com> Subject: Re: FreeBSD DDoS protection Message-ID: <20130213175449.O71572@sola.nimnet.asn.au> In-Reply-To: <86zjz9f31u.fsf@ds4.des.no> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl> <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <op.wsehxssd34t2sn@tech304.office.supranet.net> <86zjz9f31u.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1747773286-1360739073=:71572 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Wed, 13 Feb 2013 01:52:29 +0100, Dag-Erling Smørgrav wrote: > Mark Felder <feld@feld.me> writes: > > Dropping ICMP is not a security method. Please stop doing this! > Slight correction: dropping *all* ICMP is a bad idea. You can get by > with just unreach. Add timex, echoreq and echorep for troubleshooting. rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes. Are there any negative security implications to including source quench? > For IPv6, you want unreach, toobig, neighbrsol and neighbradv. Add > timex, echoreq and echorep for troubleshooting, and routersol and > routeradv on networks that use SLAAC. cheers, Ian --0-1747773286-1360739073=:71572--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130213175449.O71572>