Yes and let me clarify. If you read the rest of this discussion, all other emails, you would see that has been said already.
On Feb 13, 2013, at 11:52 AM, "xenophon\\+freebsd" <[email protected]> wrote: > khatfield@... writes: >> >> Please read the rest of the thread before criticizing. > > Let me clarify. Naïvely blocking ICMP isn't the only thing firewall admins > should avoid doing. I think that one should construct firewalls in such a > manner that for all prohibited classes of traffic, the firewall should return > the correct destination-unreachable messages (TCP RST or ICMP UNREACHABLE) to > the traffic source. For one, this makes the presence of a firewall less > obvious to attackers, but more importantly, end users don't have to wait for > their connections to mysteriously time out when they do something prohibited. > Black holes and null routes have their place, such as in response to an > active denial of service attack, but not in the primary traffic control > policy. > > -- > I FIGHT FOR THE USERS > > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "[email protected]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
