Date: Wed, 13 Feb 2013 09:28:00 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Ian Smith <smithi@nimnet.asn.au> Cc: Janne Snabb <snabb@epipe.com>, khatfield@socllc.net, Mark Felder <feld@feld.me>, freebsd-isp@freebsd.org, freebsd-security@freebsd.org, James Howlett <jim.howlett@outlook.com> Subject: Re: FreeBSD DDoS protection Message-ID: <86halg4nzj.fsf@ds4.des.no> In-Reply-To: <20130213175449.O71572@sola.nimnet.asn.au> (Ian Smith's message of "Wed, 13 Feb 2013 18:04:33 %2B1100 (EST)") References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl> <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <51179708.2030206@epipe.com> <op.wsehxssd34t2sn@tech304.office.supranet.net> <86zjz9f31u.fsf@ds4.des.no> <20130213175449.O71572@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Smith <smithi@nimnet.asn.au> writes: > Dag-Erling Sm=C3=B8rgrav <des@des.no> writes: > > Slight correction: dropping *all* ICMP is a bad idea. You can get by= =20 > > with just unreach. Add timex, echoreq and echorep for troubleshooting. > rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.= =20=20 > Are there any negative security implications to including source quench? See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927). TL;DR: they were a bad idea to begin with, and nobody implements them anyway. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86halg4nzj.fsf>