From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 00:52:32 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0CCCBA48; Wed, 13 Feb 2013 00:52:32 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C3765E98; Wed, 13 Feb 2013 00:52:31 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 2CCBE649B; Wed, 13 Feb 2013 00:52:30 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id D3E35A2F2; Wed, 13 Feb 2013 01:52:29 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mark Felder Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> Date: Wed, 13 Feb 2013 01:52:29 +0100 In-Reply-To: (Mark Felder's message of "Tue, 12 Feb 2013 10:11:42 -0600") Message-ID: <86zjz9f31u.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett , Janne Snabb , khatfield@socllc.net X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 00:52:32 -0000 Mark Felder writes: > Dropping ICMP is not a security method. Please stop doing this! Slight correction: dropping *all* ICMP is a bad idea. You can get by with just unreach. Add timex, echoreq and echorep for troubleshooting. For IPv6, you want unreach, toobig, neighbrsol and neighbradv. Add timex, echoreq and echorep for troubleshooting, and routersol and routeradv on networks that use SLAAC. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no