On Wed, 21 May 2008, John Kristoff wrote:
In the environments where I've done this, my experience was that it was an acceptable practice at the time and in a couple cases it did help the net upstream when something went wrong (e.g. this did stop some real DoS traffic for me more than once). I made use of protocol counters or some monitoring tools to ensure they were not unnecessarily dropping valid packets. Your mileage may vary of course, as it apparently does?
Welcome to the wonderful world of deciding on "defaults." Unfortunately, the people most likely to be negatively affected by defaults are also people least likely to know the consequences of those defaults. Is it better to set defaults conservatively and allow people who want more to expand them? Or better to set defaults liberally and allow people who want less to reduce them?