From owner-freebsd-hackers@FreeBSD.ORG Sun Feb 26 22:45:25 2012 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09134106564A for ; Sun, 26 Feb 2012 22:45:25 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) by mx1.freebsd.org (Postfix) with ESMTP id 859728FC1B for ; Sun, 26 Feb 2012 22:45:24 +0000 (UTC) Received: by wibhn6 with SMTP id hn6so753977wib.13 for ; Sun, 26 Feb 2012 14:45:23 -0800 (PST) Received-SPF: pass (google.com: domain of ml@my.gd designates 10.180.86.230 as permitted sender) client-ip=10.180.86.230; Authentication-Results: mr.google.com; spf=pass (google.com: domain of ml@my.gd designates 10.180.86.230 as permitted sender) smtp.mail=ml@my.gd Received: from mr.google.com ([10.180.86.230]) by 10.180.86.230 with SMTP id s6mr13301511wiz.16.1330296323509 (num_hops = 1); Sun, 26 Feb 2012 14:45:23 -0800 (PST) Received: by 10.180.86.230 with SMTP id s6mr10410852wiz.16.1330294577041; Sun, 26 Feb 2012 14:16:17 -0800 (PST) Received: from [192.168.0.12] (did75-17-88-165-130-96.fbx.proxad.net. [88.165.130.96]) by mx.google.com with ESMTPS id d7sm45402025wiz.6.2012.02.26.14.16.15 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 26 Feb 2012 14:16:15 -0800 (PST) References: In-Reply-To: Mime-Version: 1.0 (iPhone Mail 8J2) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <92380FD0-F7E8-42B1-88C6-717DD9316A46@my.gd> X-Mailer: iPhone Mail (8J2) From: Damien Fleuriot Date: Sun, 26 Feb 2012 23:15:30 +0100 To: Bob Bishop X-Gm-Message-State: ALoCoQk7PLOGOQa+2L46t+H0jcTT9syOnE19O+20nuWwl6+UdRE7oW0Y+2G2BAixF6KSJ7xREV1u Cc: "hackers@freebsd.org" Subject: Re: Blackhole routes vs firewall drop rules X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2012 22:45:25 -0000 On 26 Feb 2012, at 14:34, Bob Bishop wrote: > Hi, >=20 > I'd like to hear from somebody who understands this stuff on the relative m= erits of blackhole routes vs firewall drop rules for dealing with packets fr= om unwanted sources. I'm particularly interested in efficiency and scalabili= ty. Thanks >=20 First, there is no definitive answer to your question because they both addr= ess different issues. With a null (or blackhole) route, you effectively suppress ALL the traffic f= rom an unwanted destination. Note however that, unless you perform reverse path checks on your routers (g= oogle urpf and DFZ), ALL the packets from the source IP will still reach you= r servers and be processed, in the case of protocols without sessions (UDP c= omes to mind, ICMP as well). This means your server might still work for no reason while processing the p= ackets which will be dropped later. Firewalling OTOH doesn't exhibit this drawback. It also has the huge advantage of being able to filter on more aspects than s= imply the source IP: protocol, ports, rate limiting, automatic blacklisting.= .. to name but a few of PF's capabilities. You may want to be more accurate about your *needs* before asking us to disc= uss the *means* to attain them, though. Hope that helps.=