From owner-freebsd-hackers@FreeBSD.ORG  Sun Feb 26 23:06:58 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 71A44106566B
	for <hackers@freebsd.org>; Sun, 26 Feb 2012 23:06:58 +0000 (UTC)
	(envelope-from rb@gid.co.uk)
Received: from mx0.gid.co.uk (mx0.gid.co.uk [194.32.164.250])
	by mx1.freebsd.org (Postfix) with ESMTP id 0AA4F8FC17
	for <hackers@freebsd.org>; Sun, 26 Feb 2012 23:06:56 +0000 (UTC)
Received: from rbpbp.gid.co.uk (80-46-130-69.static.dsl.as9105.com
	[80.46.130.69])
	by mx0.gid.co.uk (8.14.2/8.14.2) with ESMTP id q1QN6s19026055;
	Sun, 26 Feb 2012 23:06:55 GMT (envelope-from rb@gid.co.uk)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=iso-8859-1
From: Bob Bishop <rb@gid.co.uk>
In-Reply-To: <20120226211424.GA1534@tiny>
Date: Sun, 26 Feb 2012 23:06:49 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <6CD56DF5-2976-45F6-8BFE-946BA96F5902@gid.co.uk>
References: <BC3D956B-FD78-4C1B-A4AA-8C33651237B2@gid.co.uk>
	<4F4A9E87.4080807@freebsd.org> <20120226211424.GA1534@tiny>
To: Matthias Apitz <guru@unixarea.de>
X-Mailer: Apple Mail (2.1084)
Cc: hackers@freebsd.org
Subject: Re: Blackhole routes vs firewall drop rules
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2012 23:06:58 -0000


On 26 Feb 2012, at 21:14, Matthias Apitz wrote:

> El d=EDa Sunday, February 26, 2012 a las 01:05:11PM -0800, Julian =
Elischer escribi=F3:
>=20
>> On 2/26/12 5:34 AM, Bob Bishop wrote:
>>> Hi,
>>>=20
>>> I'd like to hear from somebody who understands this stuff on the =
relative merits of blackhole routes vs firewall drop rules for dealing =
with packets from unwanted sources. I'm particularly interested in =
efficiency and scalability. Thanks
>>=20
>> the key is the word "from".  routes can only be selected on 'TO'=20
>> (destination) where
>> firewalls can select on any combination of header fields.
>=20
> I understand the idea of the OP as, based on the source IP addr, he
> wants to install routes that the resulting IP pkg to the source IP =
goes
> to "nowhere", i.e. not back to the origin IP and the 1st SYN is not
> answered back to the source IP;

Exactly. But would firewall drop rules be a better (more efficient) way =
to do that?

> 	matthias
> --=20
> Matthias Apitz
> e <guru@unixarea.de> - w http://www.unixarea.de/
> UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
> UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
>=20

--
Bob Bishop
rb@gid.co.uk