ipfw rules vs routes to localhost?
"." at babolo.ru
"." at babolo.ru
Thu May 29 15:16:08 PDT 2003
> I'm considering:
>
> ipfw add N deny ip from a.b.c.d to any
>
> vs.
>
> route add -host a.b.c.d localhost
>
> I need to block traffic to a number of IP addresses. I thought I'd use
> ipfw to avoid things like UDP DNS lookups that might come in ant take up
> resources while my system tried to respond, but it's been suggested on
> another list that setting routes to localhost will use less resources.
> Ideally, I'd like to be able to block a few tens of thousands of IPs.
>
> What's the scoop?
ipfw with huge list works slow.
Dont try huge route tables.
use in kernel:
pseudo-device disc #Discard device (ds0, ds1, etc)
and
ifconfig ds0 inet 0.0.0.1/32 (or else)
route add -host a.b.c.d 0.0.0.1
instead of localhost
More information about the freebsd-net
mailing list