From owner-freebsd-isp@FreeBSD.ORG  Wed Feb 13 10:07:45 2013
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id BE027F11
 for <freebsd-isp@freebsd.org>; Wed, 13 Feb 2013 10:07:45 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 by mx1.freebsd.org (Postfix) with ESMTP id 2C7D07FC
 for <freebsd-isp@freebsd.org>; Wed, 13 Feb 2013 10:07:44 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r1DA7ebl018038;
 Wed, 13 Feb 2013 21:07:41 +1100 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Wed, 13 Feb 2013 21:07:40 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
Subject: Re: FreeBSD DDoS protection
In-Reply-To: <86halg4nzj.fsf@ds4.des.no>
Message-ID: <20130213210141.F71572@sola.nimnet.asn.au>
References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>
 <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>
 <51179708.2030206@epipe.com> <op.wsehxssd34t2sn@tech304.office.supranet.net>
 <86zjz9f31u.fsf@ds4.des.no> <20130213175449.O71572@sola.nimnet.asn.au>
 <86halg4nzj.fsf@ds4.des.no>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-1718178538-1360750060=:71572"
Cc: Janne Snabb <snabb@epipe.com>, khatfield@socllc.net,
 Mark Felder <feld@feld.me>, freebsd-isp@freebsd.org,
 freebsd-security@freebsd.org, James Howlett <jim.howlett@outlook.com>
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-isp>,
 <mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
 <mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2013 10:07:45 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1718178538-1360750060=:71572
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT

On Wed, 13 Feb 2013 09:28:00 +0100, Dag-Erling Smørgrav wrote:
 > Ian Smith <smithi@nimnet.asn.au> writes:
 > > Dag-Erling Smørgrav <des@des.no> writes:
 > >  > Slight correction: dropping *all* ICMP is a bad idea.  You can get by 
 > >  > with just unreach.  Add timex, echoreq and echorep for troubleshooting.
 > > rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.  
 > > Are there any negative security implications to including source quench?
 > 
 > See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it
 > references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927).
 > TL;DR: they were a bad idea to begin with, and nobody implements them
 > anyway.

Fair enough, thanks for the refs, I'm just so out of date .. still 
chewing on the second and I have a nice fresh icmp-parameters.txt

cheers, Ian
--0-1718178538-1360750060=:71572--