Blackhole routes vs firewall drop rules
Bob Bishop
rb at gid.co.uk
Sun Feb 26 23:06:58 UTC 2012
On 26 Feb 2012, at 21:14, Matthias Apitz wrote:
> El día Sunday, February 26, 2012 a las 01:05:11PM -0800, Julian Elischer escribió:
>
>> On 2/26/12 5:34 AM, Bob Bishop wrote:
>>> Hi,
>>>
>>> I'd like to hear from somebody who understands this stuff on the relative merits of blackhole routes vs firewall drop rules for dealing with packets from unwanted sources. I'm particularly interested in efficiency and scalability. Thanks
>>
>> the key is the word "from". routes can only be selected on 'TO'
>> (destination) where
>> firewalls can select on any combination of header fields.
>
> I understand the idea of the OP as, based on the source IP addr, he
> wants to install routes that the resulting IP pkg to the source IP goes
> to "nowhere", i.e. not back to the origin IP and the 1st SYN is not
> answered back to the source IP;
Exactly. But would firewall drop rules be a better (more efficient) way to do that?
> matthias
> --
> Matthias Apitz
> e <guru at unixarea.de> - w http://www.unixarea.de/
> UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
> UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
>
--
Bob Bishop
rb at gid.co.uk
More information about the freebsd-hackers
mailing list