From owner-freebsd-net@FreeBSD.ORG Wed May 28 14:04:06 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F2D637B401 for ; Wed, 28 May 2003 14:04:06 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98B5243F3F for ; Wed, 28 May 2003 14:04:05 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by attbi.com (rwcrmhc51) with ESMTP id <2003052821040505100h6p2de>; Wed, 28 May 2003 21:04:05 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h4SL44ki004406; Wed, 28 May 2003 14:04:04 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h4SL3xIB004405; Wed, 28 May 2003 14:03:59 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Wed, 28 May 2003 14:03:59 -0700 From: "Crist J. Clark" To: Paul Chvostek Message-ID: <20030528210359.GA3907@blossom.cjclark.org> References: <20030528045154.GA95572@mail.it.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030528045154.GA95572@mail.it.ca> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-net@freebsd.org Subject: Re: ipfw rules vs routes to localhost? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 21:04:06 -0000 On Wed, May 28, 2003 at 12:51:54AM -0400, Paul Chvostek wrote: > > I'm considering: > > ipfw add N deny ip from a.b.c.d to any > > vs. > > route add -host a.b.c.d localhost > > I need to block traffic to a number of IP addresses. I thought I'd use > ipfw to avoid things like UDP DNS lookups that might come in ant take up > resources while my system tried to respond, but it's been suggested on > another list that setting routes to localhost will use less resources. > Ideally, I'd like to be able to block a few tens of thousands of IPs. > > What's the scoop? Someone is assumng the old rule for blocking traffic on a (Cisco) router applies to the FreeBSD stack. It doesn't necessarily apply. First off, blocking it in ipfw rules is obviously more efficient if you are running ipfw(8) already. If you wouldn't be otherwise running ipfw(8) at all, there _may_ be some gain. Packets blocked by ipfw(8) get dropped very early in ip_input(), which is good, but _all_ packets have to go through ipfw(8), and we usually assume the majority of packets are "good" ones. So, the second case, adding the route, doesn't add much overhead to the processing of good packets, but does greatly increase the resources used before you toss out bad ones. You may end up using fewer resources if there are only a few bad ones relative to the good. IMHO, if this machine is a firewall, use the right tool for firewalling, ipfw(8). Are you short on resources in the first place? If you are really pushing this machine's routing capabilities to its max, you might be in need of an OS and hardware designed solely for routing. Tinkering with ipfw(8) versus blackhole routes probably is not the way to solve the problem. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org