FreeBSD DDoS protection
khatfield at socllc.net
khatfield at socllc.net
Tue Feb 12 19:10:57 UTC 2013
It does but possibly beneficial in some scenarios. I completely agree with keeping everything standard and not doing things that make other things either unpredictable or more difficult.
That's why I run MX80's instead of BSD-based edge gear any longer. Again, simply trying to help the OP with his current equipment and basic needs to resolve his present issue.
On Feb 12, 2013, at 11:46 AM, "Fleuriot Damien" <ml at my.gd> wrote:
>
> On Feb 12, 2013, at 6:34 PM, khatfield at socllc.net wrote:
>
>> As my response stated filter ICMP except where necessary. I can state coming from a mitigation background that there are ways to safely do it without causing any issues. However, yes, you can still filter ICMP and remain compliant with an example pf rule like:
>> icmp_types = "{ echoreq, unreach }"
>
> breaks traceroute :(
>
>
>
>> But in real life situations under constant attacks, blocking ICMP can be a large part of keeping businesses online.
>
> YMMV but I'd advise rate limiting instead of plain blocking.
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
More information about the freebsd-isp
mailing list