From owner-freebsd-isp@FreeBSD.ORG  Wed Feb 13 17:51:53 2013
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id A265667D;
 Wed, 13 Feb 2013 17:51:53 +0000 (UTC)
 (envelope-from xenophon+freebsd@irtnog.org)
Received: from mx1.irtnog.org (rrcs-24-123-13-61.central.biz.rr.com
 [24.123.13.61]) by mx1.freebsd.org (Postfix) with ESMTP id 7611334F;
 Wed, 13 Feb 2013 17:51:53 +0000 (UTC)
Received: from cinep001bsdgw.irtnog.net (localhost [127.0.0.1])
 by mx1.irtnog.org (Postfix) with ESMTP id B0CB21C970;
 Wed, 13 Feb 2013 12:51:51 -0500 (EST)
X-Virus-Scanned: amavisd-new at irtnog.org
Received: from mx1.irtnog.org ([127.0.0.1])
 by cinep001bsdgw.irtnog.net (mx1.irtnog.org [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id L7jX3-aEx_AJ; Wed, 13 Feb 2013 12:51:46 -0500 (EST)
Received: from cinip100ntsbs.irtnog.net (cinip100ntsbs.irtnog.net
 [10.63.1.100]) by mx1.irtnog.org (Postfix) with ESMTP;
 Wed, 13 Feb 2013 12:51:46 -0500 (EST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: FreeBSD DDoS protection
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 13 Feb 2013 12:51:44 -0500
Message-ID: <BABF8C57A778F04791343E5601659908236D59@cinip100ntsbs.irtnog.net>
In-Reply-To: <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: FreeBSD DDoS protection
Thread-Index: Ac4KCWeOCc1HOkl8RBOaRoCiIm8zagAAZPeg
References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>
 <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>
 <BABF8C57A778F04791343E5601659908236D58@cinip100ntsbs.irtnog.net>
 <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com>
From: "xenophon\\+freebsd" <xenophon+freebsd@irtnog.org>
To: <freebsd-isp@freebsd.org>,
	<freebsd-security@freebsd.org>
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-isp>,
 <mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
 <mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2013 17:51:53 -0000

khatfield@... writes:
>=20
> Please read the rest of the thread before criticizing.

Let me clarify.  Na=EFvely blocking ICMP isn't the only thing firewall =
admins should avoid doing.  I think that one should construct firewalls =
in such a manner that for all prohibited classes of traffic, the =
firewall should return the correct destination-unreachable messages (TCP =
RST or ICMP UNREACHABLE) to the traffic source.  For one, this makes the =
presence of a firewall less obvious to attackers, but more importantly, =
end users don't have to wait for their connections to mysteriously time =
out when they do something prohibited.  Black holes and null routes have =
their place, such as in response to an active denial of service attack, =
but not in the primary traffic control policy.

--=20
I FIGHT FOR THE USERS