FreeBSD DDoS protection
Dag-Erling Smørgrav
des at des.no
Wed Feb 13 08:28:03 UTC 2013
Ian Smith <smithi at nimnet.asn.au> writes:
> Dag-Erling Smørgrav <des at des.no> writes:
> > Slight correction: dropping *all* ICMP is a bad idea. You can get by
> > with just unreach. Add timex, echoreq and echorep for troubleshooting.
> rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.
> Are there any negative security implications to including source quench?
See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it
references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927).
TL;DR: they were a bad idea to begin with, and nobody implements them
anyway.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list