FreeBSD DDoS protection
Fleuriot Damien
ml at my.gd
Tue Feb 12 17:46:39 UTC 2013
On Feb 12, 2013, at 6:34 PM, khatfield at socllc.net wrote:
> As my response stated filter ICMP except where necessary. I can state coming from a mitigation background that there are ways to safely do it without causing any issues. However, yes, you can still filter ICMP and remain compliant with an example pf rule like:
> icmp_types = "{ echoreq, unreach }"
>
breaks traceroute :(
> But in real life situations under constant attacks, blocking ICMP can be a large part of keeping businesses online.
>
YMMV but I'd advise rate limiting instead of plain blocking.
More information about the freebsd-isp
mailing list