FreeBSD DDoS protection
Ian Smith
smithi at nimnet.asn.au
Wed Feb 13 07:05:52 UTC 2013
On Wed, 13 Feb 2013 01:52:29 +0100, Dag-Erling Smørgrav wrote:
> Mark Felder <feld at feld.me> writes:
> > Dropping ICMP is not a security method. Please stop doing this!
> Slight correction: dropping *all* ICMP is a bad idea. You can get by
> with just unreach. Add timex, echoreq and echorep for troubleshooting.
rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.
Are there any negative security implications to including source quench?
> For IPv6, you want unreach, toobig, neighbrsol and neighbradv. Add
> timex, echoreq and echorep for troubleshooting, and routersol and
> routeradv on networks that use SLAAC.
cheers, Ian
More information about the freebsd-security
mailing list