FreeBSD DDoS protection

Chris Boyd cboyd at gizmopartners.com
Sun Feb 10 19:57:18 UTC 2013


On Sat, 2013-02-09 at 19:57 -0600, khatfield at socllc.net wrote:
> 
> Deny all ICMP (drop I mean)

Please DON'T do this.  ICMP is a required part of the TCP/IP suite.

It breaks Path MTU discovery, leading to oddball issues where some sites
can't load graphics, some file transfers break, etc.

It makes troubleshooting using traceroute not work.

If you don't want to get pinged, then drop echo request/reply.  But
those are really pretty harmless.

--Chris




More information about the freebsd-security mailing list