From owner-freebsd-security@FreeBSD.ORG  Wed Feb 13 16:44:33 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 4CFFD4F8
 for <freebsd-security@freebsd.org>; Wed, 13 Feb 2013 16:44:33 +0000 (UTC)
 (envelope-from khatfield@socllc.net)
Received: from smtp207.dfw.emailsrvr.com (smtp207.dfw.emailsrvr.com
 [67.192.241.207]) by mx1.freebsd.org (Postfix) with ESMTP id 1E778F3D
 for <freebsd-security@freebsd.org>; Wed, 13 Feb 2013 16:44:33 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1])
 by smtp20.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 98B20258217;
 Wed, 13 Feb 2013 11:44:26 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp20.relay.dfw1a.emailsrvr.com (Authenticated sender:
 khatfield-AT-socllc.net) with ESMTPSA id 52B982581B0; 
 Wed, 13 Feb 2013 11:44:26 -0500 (EST)
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: Re: FreeBSD DDoS protection
References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>
 <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>
 <BABF8C57A778F04791343E5601659908236D58@cinip100ntsbs.irtnog.net>
From: khatfield@socllc.net
Mime-Version: 1.0
In-Reply-To: <BABF8C57A778F04791343E5601659908236D58@cinip100ntsbs.irtnog.net>
Message-Id: <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com>
Date: Wed, 13 Feb 2013 10:44:23 -0600
To: "Matthew X. Economou" <xenophon@irtnog.org>
Thread-Topic: FreeBSD DDoS protection
X-NS-Received: from Apple-iPhone5C2/1002.143(khatfield@socllc.net)
 SECURED(HTTPS); Wed, 13 Feb 2013 16:44:24 +0000 (UTC)
Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>,
 "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2013 16:44:33 -0000

Please read the rest of the thread before criticizing.


On Feb 13, 2013, at 9:58 AM, "Matthew X. Economou" <xenophon@irtnog.org> wr=
ote:

> khatfield@s... Writes:
>>=20
>> The less you do with the firewall (routing/blocking/inspecting) the
>> better.
>>=20
>> Drop drop drop ;)
>=20
> I think this is really bad advice.  A firewall should return
> destination-unreachable/reset packets for administratively prohibited
> traffic types.  Drops, null routes, etc. should only be used in case of
> emergency like ongoing DoS attacks or for special cases like stealth
> firewalls.=20
>=20
> --=20
> I FIGHT FOR THE USERS
>=20
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"