pf vs null route

Doug Hardie bc979 at
Mon Jun 15 21:46:51 UTC 2009

My web server is always being attacked by people trying to guess our  
user's passwords.  Most of the time the ids they try are not in use so  
there is only a log entry and a bit of packet time involved.  However,  
eventually they are likely to guess a valid id and password.  Some of  
our users have very weak passwords.  Granted they will only be able to  
get to the user's personal web space, but that would be inconvenient  
for the user.

For a long time I have been using null routes for the persistent  
attacks (set a route of for their adddress in the route  
table).  This works fine.  We still get the first SYN packet, but  
nothing after that.  I do have pf running on several of our servers  
for other purposes and have been thinking about replacing the null  
routes with a blocking table using pf.  The question is which scales  
better?  My guess based on presumed implementation techniques is that  
pf will scale better.  I currently have a table for incoming mail that  
has over 100K entries and there is no noticable effect on mail  
processing times.  Unfortunately I can't tell if that is because I  
also don't have any good way to determine if there were any effects.   
pf would certainly provide additional capabilites, but given the  
limited use of this server, I don't see any need for anything more.   
Since we provide telnet and ftp access for users to their personal web  
pages, I keep anything important on another server.

More information about the freebsd-questions mailing list