From owner-freebsd-isp@FreeBSD.ORG  Wed Feb 13 15:58:09 2013
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 75B62B82;
 Wed, 13 Feb 2013 15:58:09 +0000 (UTC)
 (envelope-from xenophon@irtnog.org)
Received: from mx1.irtnog.org (rrcs-24-123-13-61.central.biz.rr.com
 [24.123.13.61]) by mx1.freebsd.org (Postfix) with ESMTP id 2684DB46;
 Wed, 13 Feb 2013 15:58:08 +0000 (UTC)
Received: from cinep001bsdgw.irtnog.net (localhost [127.0.0.1])
 by mx1.irtnog.org (Postfix) with ESMTP id AF2391C886;
 Wed, 13 Feb 2013 10:58:07 -0500 (EST)
X-Virus-Scanned: amavisd-new at irtnog.org
Received: from mx1.irtnog.org ([127.0.0.1])
 by cinep001bsdgw.irtnog.net (mx1.irtnog.org [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id O8l-YOTIqZ1C; Wed, 13 Feb 2013 10:58:05 -0500 (EST)
Received: from cinip100ntsbs.irtnog.net (cinip100ntsbs.irtnog.net
 [10.63.1.100]) by mx1.irtnog.org (Postfix) with ESMTP;
 Wed, 13 Feb 2013 10:58:05 -0500 (EST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: FreeBSD DDoS protection
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 13 Feb 2013 10:58:04 -0500
Message-ID: <BABF8C57A778F04791343E5601659908236D58@cinip100ntsbs.irtnog.net>
In-Reply-To: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: FreeBSD DDoS protection
Thread-Index: Ac4HPuiKMbrZCscsSSusNoLTgXoviACuGFlQ
References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>
 <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>
From: "Matthew X. Economou" <xenophon@irtnog.org>
To: <freebsd-isp@freebsd.org>,
	<freebsd-security@freebsd.org>
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-isp>,
 <mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
 <mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2013 15:58:09 -0000

khatfield@s... Writes:
>=20
> The less you do with the firewall (routing/blocking/inspecting) the
> better.
>=20
> Drop drop drop ;)

I think this is really bad advice.  A firewall should return
destination-unreachable/reset packets for administratively prohibited
traffic types.  Drops, null routes, etc. should only be used in case of
emergency like ongoing DoS attacks or for special cases like stealth
firewalls.=20

--=20
I FIGHT FOR THE USERS