Date: Sun, 26 Feb 2012 23:15:30 +0100 From: Damien Fleuriot <ml@my.gd> To: Bob Bishop <rb@gid.co.uk> Cc: "hackers@freebsd.org" <hackers@freebsd.org> Subject: Re: Blackhole routes vs firewall drop rules Message-ID: <92380FD0-F7E8-42B1-88C6-717DD9316A46@my.gd> In-Reply-To: <BC3D956B-FD78-4C1B-A4AA-8C33651237B2@gid.co.uk> References: <BC3D956B-FD78-4C1B-A4AA-8C33651237B2@gid.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26 Feb 2012, at 14:34, Bob Bishop <rb@gid.co.uk> wrote: > Hi, >=20 > I'd like to hear from somebody who understands this stuff on the relative m= erits of blackhole routes vs firewall drop rules for dealing with packets fr= om unwanted sources. I'm particularly interested in efficiency and scalabili= ty. Thanks >=20 First, there is no definitive answer to your question because they both addr= ess different issues. With a null (or blackhole) route, you effectively suppress ALL the traffic f= rom an unwanted destination. Note however that, unless you perform reverse path checks on your routers (g= oogle urpf and DFZ), ALL the packets from the source IP will still reach you= r servers and be processed, in the case of protocols without sessions (UDP c= omes to mind, ICMP as well). This means your server might still work for no reason while processing the p= ackets which will be dropped later. Firewalling OTOH doesn't exhibit this drawback. It also has the huge advantage of being able to filter on more aspects than s= imply the source IP: protocol, ports, rate limiting, automatic blacklisting.= .. to name but a few of PF's capabilities. You may want to be more accurate about your *needs* before asking us to disc= uss the *means* to attain them, though. Hope that helps.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?92380FD0-F7E8-42B1-88C6-717DD9316A46>