Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 26 Feb 2012 23:15:30 +0100
From:      Damien Fleuriot <ml@my.gd>
To:        Bob Bishop <rb@gid.co.uk>
Cc:        "hackers@freebsd.org" <hackers@freebsd.org>
Subject:   Re: Blackhole routes vs firewall drop rules
Message-ID:  <92380FD0-F7E8-42B1-88C6-717DD9316A46@my.gd>
In-Reply-To: <BC3D956B-FD78-4C1B-A4AA-8C33651237B2@gid.co.uk>
References:  <BC3D956B-FD78-4C1B-A4AA-8C33651237B2@gid.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help

On 26 Feb 2012, at 14:34, Bob Bishop <rb@gid.co.uk> wrote:

> Hi,
>=20
> I'd like to hear from somebody who understands this stuff on the relative m=
erits of blackhole routes vs firewall drop rules for dealing with packets fr=
om unwanted sources. I'm particularly interested in efficiency and scalabili=
ty. Thanks
>=20

First, there is no definitive answer to your question because they both addr=
ess different issues.


With a null (or blackhole) route, you effectively suppress ALL the traffic f=
rom an unwanted destination.
Note however that, unless you perform reverse path checks on your routers (g=
oogle urpf and DFZ), ALL the packets from the source IP will still reach you=
r servers and be processed, in the case of protocols without sessions (UDP c=
omes to mind, ICMP as well).
This means your server might still work for no reason while processing the p=
ackets which will be dropped later.


Firewalling OTOH doesn't exhibit this drawback.
It also has the huge advantage of being able to filter on more aspects than s=
imply the source IP: protocol, ports, rate limiting, automatic blacklisting.=
.. to name but a few of PF's capabilities.



You may want to be more accurate about your *needs* before asking us to disc=
uss the *means* to attain them, though.

Hope that helps.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?92380FD0-F7E8-42B1-88C6-717DD9316A46>