From owner-freebsd-isp@FreeBSD.ORG Wed Feb 13 18:35:25 2013 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 6A22D462 for ; Wed, 13 Feb 2013 18:35:25 +0000 (UTC) (envelope-from gehm@physik.tu-berlin.de) Received: from mail.tu-berlin.de (mail.tu-berlin.de [130.149.7.33]) by mx1.freebsd.org (Postfix) with ESMTP id 0CA2183D for ; Wed, 13 Feb 2013 18:35:24 +0000 (UTC) X-tubIT-Incoming-IP: 130.149.58.163 Received: from mail.physik-pool.tu-berlin.de ([130.149.58.163] helo=mail.physik.tu-berlin.de) by mail.tu-berlin.de (exim-4.75/mailfrontend-2) with esmtp for id 1U5hAx-0002rE-IB; Wed, 13 Feb 2013 19:35:23 +0100 Received: from [192.168.0.102] (ip-109-91-89-92.unitymediagroup.de [109.91.89.92]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.physik.tu-berlin.de (Postfix) with ESMTPSA id 5BA1E11401 for ; Wed, 13 Feb 2013 19:35:17 +0100 (CET) Message-ID: <511BDDBF.9070903@physik.tu-berlin.de> Date: Wed, 13 Feb 2013 19:38:55 +0100 From: Ekkehard 'Ekki' Gehm User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: freebsd-isp@freebsd.org Subject: Re: FreeBSD DDoS protection References: <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com> <2107458022.140210.1360773865635@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> <928201005.145638.1360780287310@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> In-Reply-To: <928201005.145638.1360780287310@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2013 18:35:25 -0000 Ahoi! Am 13.02.2013 19:31, schrieb khatfield@socllc.net: > Yes and let me clarify. > > If you read the rest of this discussion, all other emails, you would see that has been said already. > So true! > > > On Feb 13, 2013, at 11:52 AM, "xenophon\\+freebsd" wrote: > >> khatfield@... writes: >>> Please read the rest of the thread before criticizing. >> Let me clarify. Naïvely blocking ICMP isn't the only thing firewall admins should avoid doing. I think that one should construct firewalls in such a manner that for all prohibited classes of traffic, the firewall should return the correct destination-unreachable messages (TCP RST or ICMP UNREACHABLE) to the traffic source. For one, this makes the presence of a firewall less obvious to attackers, but more importantly, end users don't have to wait for their connections to mysteriously time out when they do something prohibited. Black holes and null routes have their place, such as in response to an active denial of service attack, but not in the primary traffic control policy. >> >> -- >> I FIGHT FOR THE USERS >> >> >> _______________________________________________ >> freebsd-isp@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"