Date: Wed, 13 Feb 2013 10:58:04 -0500 From: "Matthew X. Economou" <xenophon@irtnog.org> To: <freebsd-isp@freebsd.org>, <freebsd-security@freebsd.org> Subject: RE: FreeBSD DDoS protection Message-ID: <BABF8C57A778F04791343E5601659908236D58@cinip100ntsbs.irtnog.net> In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl> <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>
next in thread | previous in thread | raw e-mail | index | archive | help
khatfield@s... Writes: >=20 > The less you do with the firewall (routing/blocking/inspecting) the > better. >=20 > Drop drop drop ;) I think this is really bad advice. A firewall should return destination-unreachable/reset packets for administratively prohibited traffic types. Drops, null routes, etc. should only be used in case of emergency like ongoing DoS attacks or for special cases like stealth firewalls.=20 --=20 I FIGHT FOR THE USERS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BABF8C57A778F04791343E5601659908236D58>