From owner-freebsd-hackers@FreeBSD.ORG Sun Feb 26 21:45:38 2012 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF3F1106568B; Sun, 26 Feb 2012 21:45:38 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms16-1.1blu.de (ms16-1.1blu.de [89.202.0.34]) by mx1.freebsd.org (Postfix) with ESMTP id 891CE8FC1F; Sun, 26 Feb 2012 21:45:38 +0000 (UTC) Received: from [82.113.106.201] (helo=tiny.Sisis.de) by ms16-1.1blu.de with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1S1lQL-0005rb-8y; Sun, 26 Feb 2012 22:14:30 +0100 Received: from tiny.Sisis.de (localhost [127.0.0.1]) by tiny.Sisis.de (8.14.5/8.14.3) with ESMTP id q1QLEQBd001554; Sun, 26 Feb 2012 22:14:26 +0100 (CET) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by tiny.Sisis.de (8.14.5/8.14.3/Submit) id q1QLEPvw001553; Sun, 26 Feb 2012 22:14:25 +0100 (CET) (envelope-from guru@unixarea.de) X-Authentication-Warning: tiny.Sisis.de: guru set sender to guru@unixarea.de using -f Date: Sun, 26 Feb 2012 22:14:25 +0100 From: Matthias Apitz To: Julian Elischer Message-ID: <20120226211424.GA1534@tiny> References: <4F4A9E87.4080807@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4F4A9E87.4080807@freebsd.org> X-Operating-System: FreeBSD 10.0-CURRENT r226986 (i386) User-Agent: Mutt/1.5.21 (2010-09-15) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 82.113.106.201 Cc: hackers@freebsd.org Subject: Re: o X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthias Apitz List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2012 21:45:38 -0000 El día Sunday, February 26, 2012 a las 01:05:11PM -0800, Julian Elischer escribió: > On 2/26/12 5:34 AM, Bob Bishop wrote: > > Hi, > > > > I'd like to hear from somebody who understands this stuff on the relative merits of blackhole routes vs firewall drop rules for dealing with packets from unwanted sources. I'm particularly interested in efficiency and scalability. Thanks > > the key is the word "from". routes can only be selected on 'TO' > (destination) where > firewalls can select on any combination of header fields. I understand the idea of the OP as, based on the source IP addr, he wants to install routes that the resulting IP pkg to the source IP goes to "nowhere", i.e. not back to the origin IP and the 1st SYN is not answered back to the source IP; matthias -- Matthias Apitz e - w http://www.unixarea.de/ UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5