FreeBSD DDoS protection

Ian Smith smithi at nimnet.asn.au
Wed Feb 13 07:05:52 UTC 2013


On Wed, 13 Feb 2013 01:52:29 +0100, Dag-Erling Smørgrav wrote:
 > Mark Felder <feld at feld.me> writes:
 > > Dropping ICMP is not a security method. Please stop doing this!

 > Slight correction: dropping *all* ICMP is a bad idea.  You can get by 
 > with just unreach.  Add timex, echoreq and echorep for troubleshooting.

rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.  
Are there any negative security implications to including source quench?

 > For IPv6, you want unreach, toobig, neighbrsol and neighbradv.  Add
 > timex, echoreq and echorep for troubleshooting, and routersol and
 > routeradv on networks that use SLAAC.

cheers, Ian


More information about the freebsd-security mailing list