FreeBSD DDoS protection
Ian Smith
smithi at nimnet.asn.au
Wed Feb 13 10:08:41 UTC 2013
On Wed, 13 Feb 2013 09:28:00 +0100, Dag-Erling Smørgrav wrote:
> Ian Smith <smithi at nimnet.asn.au> writes:
> > Dag-Erling Smørgrav <des at des.no> writes:
> > > Slight correction: dropping *all* ICMP is a bad idea. You can get by
> > > with just unreach. Add timex, echoreq and echorep for troubleshooting.
> > rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.
> > Are there any negative security implications to including source quench?
>
> See RFC 6633 (http://tools.ietf.org/html/rfc6633) and the literature it
> references, particularly RFC 5927 (http://tools.ietf.org/html/rfc5927).
> TL;DR: they were a bad idea to begin with, and nobody implements them
> anyway.
Fair enough, thanks for the refs, I'm just so out of date .. still
chewing on the second and I have a nice fresh icmp-parameters.txt
cheers, Ian
More information about the freebsd-security
mailing list