FreeBSD DDoS protection

Dag-Erling Smørgrav des at des.no
Wed Feb 13 00:52:32 UTC 2013


Mark Felder <feld at feld.me> writes:
> Dropping ICMP is not a security method. Please stop doing this!

Slight correction: dropping *all* ICMP is a bad idea.  You can get by
with just unreach.  Add timex, echoreq and echorep for troubleshooting.

For IPv6, you want unreach, toobig, neighbrsol and neighbradv.  Add
timex, echoreq and echorep for troubleshooting, and routersol and
routeradv on networks that use SLAAC.

DES
-- 
Dag-Erling Smørgrav - des at des.no


More information about the freebsd-security mailing list