Blackhole routes vs firewall drop rules
Damien Fleuriot
ml at my.gd
Sun Feb 26 22:45:25 UTC 2012
On 26 Feb 2012, at 14:34, Bob Bishop <rb at gid.co.uk> wrote:
> Hi,
>
> I'd like to hear from somebody who understands this stuff on the relative merits of blackhole routes vs firewall drop rules for dealing with packets from unwanted sources. I'm particularly interested in efficiency and scalability. Thanks
>
First, there is no definitive answer to your question because they both address different issues.
With a null (or blackhole) route, you effectively suppress ALL the traffic from an unwanted destination.
Note however that, unless you perform reverse path checks on your routers (google urpf and DFZ), ALL the packets from the source IP will still reach your servers and be processed, in the case of protocols without sessions (UDP comes to mind, ICMP as well).
This means your server might still work for no reason while processing the packets which will be dropped later.
Firewalling OTOH doesn't exhibit this drawback.
It also has the huge advantage of being able to filter on more aspects than simply the source IP: protocol, ports, rate limiting, automatic blacklisting... to name but a few of PF's capabilities.
You may want to be more accurate about your *needs* before asking us to discuss the *means* to attain them, though.
Hope that helps.
More information about the freebsd-hackers
mailing list