Date: Tue, 18 Jan 2000 12:53:12 -0500 From: matt <matt@ARPA.MAIL.NET> To: James Wyatt <jwyatt@rwsystems.net> Cc: Jonathan Fortin <jonf@revelex.com>, freebsd-security@freebsd.org Subject: Re: TCP/IP Message-ID: <Pine.BSF.4.21.0001181252220.98451-100000@w01.arpa-canada.net> In-Reply-To: <Pine.BSF.4.10.10001181136580.42481-100000@bsdie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I would love to talk my uplink (uunet.ca) into filtering certain things before they pass it on to my router, wish they would =/ Besides that, I filter syn,fin, icmp, all udp except ntp/dns, besides that, I don't think there is much that I can do. -Matt On Tue, 18 Jan 2000, James Wyatt wrote: : Date: Tue, 18 Jan 2000 12:41:02 -0500 : From: James Wyatt <jwyatt@rwsystems.net> : To: Jonathan Fortin <jonf@revelex.com> : Cc: freebsd-security@freebsd.org : Subject: Re: TCP/IP : : On Tue, 18 Jan 2000, Jonathan Fortin wrote: : > I noticed that most of the firewalls out there don't cover protection e.g, on a denial of service attack, it should ignore the whole protocol : > but only allow packets with 3k in lenght. etc. : : The only real DoS 'thing' I've noticed is the ICMP_BANDLIM to limit icmp : error responses, which works fairly well. Most of the DoS stuff, IMHO, : should be done at the router, and the one on the input-end of the link if : you can. This protects the link as well as the host. Amplifiers can really : overwhelm a link... Of course, if you are using FreeBSD as your router, : this becomes very implrtant on the host again, right Dennis? : : I would *love* to hear what others have done besides the usual ipfw rules. : Thanks - Jy@ : : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0001181252220.98451-100000>