On Wed, 13 Feb 2013 01:52:29 +0100, Dag-Erling Smørgrav wrote:
> Mark Felder <[email protected]> writes:
> > Dropping ICMP is not a security method. Please stop doing this!
> Slight correction: dropping *all* ICMP is a bad idea. You can get by
> with just unreach. Add timex, echoreq and echorep for troubleshooting.
rc.firewall, phk@? has long recommended 3,4,11 as "essential" icmptypes.
Are there any negative security implications to including source quench?
> For IPv6, you want unreach, toobig, neighbrsol and neighbradv. Add
> timex, echoreq and echorep for troubleshooting, and routersol and
> routeradv on networks that use SLAAC.
cheers, Ian
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
