From owner-freebsd-isp@FreeBSD.ORG Tue Feb 12 19:10:57 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 889C07EC for ; Tue, 12 Feb 2013 19:10:57 +0000 (UTC) (envelope-from khatfield@socllc.net) Received: from smtp196.dfw.emailsrvr.com (smtp196.dfw.emailsrvr.com [67.192.241.196]) by mx1.freebsd.org (Postfix) with ESMTP id 60F08B16 for ; Tue, 12 Feb 2013 19:10:56 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp9.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 4F33E3C0B15; Tue, 12 Feb 2013 14:10:56 -0500 (EST) X-Virus-Scanned: OK Received: by smtp9.relay.dfw1a.emailsrvr.com (Authenticated sender: khatfield-AT-socllc.net) with ESMTPSA id 261BC3C0BBA; Tue, 12 Feb 2013 14:10:45 -0500 (EST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <511A733E.3000208@yahoo.de> <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> <79C9AC81-7937-4C2D-8514-51CAEAF314E7@my.gd> From: khatfield@socllc.net Mime-Version: 1.0 In-Reply-To: <79C9AC81-7937-4C2D-8514-51CAEAF314E7@my.gd> Message-Id: <943225264.98111.1360696244544@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Date: Tue, 12 Feb 2013 13:10:42 -0600 To: Fleuriot Damien X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net) SECURED(HTTPS); Tue, 12 Feb 2013 19:10:43 +0000 (UTC) Cc: Norbert Aschendorff , "freebsd-isp@freebsd.org" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2013 19:10:57 -0000 It does but possibly beneficial in some scenarios. I completely agree with = keeping everything standard and not doing things that make other things eit= her unpredictable or more difficult.=20 That's why I run MX80's instead of BSD-based edge gear any longer. Again, s= imply trying to help the OP with his current equipment and basic needs to r= esolve his present issue. On Feb 12, 2013, at 11:46 AM, "Fleuriot Damien" wrote: >=20 > On Feb 12, 2013, at 6:34 PM, khatfield@socllc.net wrote: >=20 >> As my response stated filter ICMP except where necessary. I can state co= ming from a mitigation background that there are ways to safely do it witho= ut causing any issues. However, yes, you can still filter ICMP and remain c= ompliant with an example pf rule like: >> icmp_types =3D "{ echoreq, unreach }" >=20 > breaks traceroute :( >=20 >=20 >=20 >> But in real life situations under constant attacks, blocking ICMP can be= a large part of keeping businesses online. >=20 > YMMV but I'd advise rate limiting instead of plain blocking. >=20 > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"