From owner-freebsd-net@FreeBSD.ORG Wed May 28 15:50:38 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4869137B401 for ; Wed, 28 May 2003 15:50:38 -0700 (PDT) Received: from web14206.mail.yahoo.com (web14206.mail.yahoo.com [216.136.173.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 8BBB443F85 for ; Wed, 28 May 2003 15:50:37 -0700 (PDT) (envelope-from neelnatu@yahoo.com) Message-ID: <20030528225037.91756.qmail@web14206.mail.yahoo.com> Received: from [208.2.250.35] by web14206.mail.yahoo.com via HTTP; Wed, 28 May 2003 15:50:37 PDT Date: Wed, 28 May 2003 15:50:37 -0700 (PDT) From: Neelkanth Natu To: "Crist J. Clark" , Paul Chvostek In-Reply-To: <20030528210359.GA3907@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-net@freebsd.org Subject: Re: ipfw rules vs routes to localhost? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 22:50:38 -0000 --- "Crist J. Clark" wrote: > On Wed, May 28, 2003 at 12:51:54AM -0400, Paul Chvostek wrote: > > > > I'm considering: > > > > ipfw add N deny ip from a.b.c.d to any > > > > vs. > > > > route add -host a.b.c.d localhost If you do decide to go with the "route-to-localhost" approach, you might want to add the "-blackhole" modifier so that the packets are dropped in looutput(). Otherwise they would unnecessarily go up the stack before being dropped in ip_input(). best Neel > > > > I need to block traffic to a number of IP addresses. I thought I'd use > > ipfw to avoid things like UDP DNS lookups that might come in ant take up > > resources while my system tried to respond, but it's been suggested on > > another list that setting routes to localhost will use less resources. > > Ideally, I'd like to be able to block a few tens of thousands of IPs. > > > > What's the scoop? > > Someone is assumng the old rule for blocking traffic on a (Cisco) > router applies to the FreeBSD stack. It doesn't necessarily apply. > > First off, blocking it in ipfw rules is obviously more efficient if > you are running ipfw(8) already. > > If you wouldn't be otherwise running ipfw(8) at all, there _may_ be > some gain. Packets blocked by ipfw(8) get dropped very early in > ip_input(), which is good, but _all_ packets have to go through > ipfw(8), and we usually assume the majority of packets are "good" > ones. So, the second case, adding the route, doesn't add much overhead > to the processing of good packets, but does greatly increase the > resources used before you toss out bad ones. You may end up using > fewer resources if there are only a few bad ones relative to the > good. > > IMHO, if this machine is a firewall, use the right tool for > firewalling, ipfw(8). Are you short on resources in the first place? > If you are really pushing this machine's routing capabilities to its > max, you might be in need of an OS and hardware designed solely for > routing. Tinkering with ipfw(8) versus blackhole routes probably is > not the way to solve the problem. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com