Date: Sun, 26 Feb 2012 23:06:49 +0000 From: Bob Bishop <rb@gid.co.uk> To: Matthias Apitz <guru@unixarea.de> Cc: hackers@freebsd.org Subject: Re: Blackhole routes vs firewall drop rules Message-ID: <6CD56DF5-2976-45F6-8BFE-946BA96F5902@gid.co.uk> In-Reply-To: <20120226211424.GA1534@tiny> References: <BC3D956B-FD78-4C1B-A4AA-8C33651237B2@gid.co.uk> <4F4A9E87.4080807@freebsd.org> <20120226211424.GA1534@tiny>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26 Feb 2012, at 21:14, Matthias Apitz wrote: > El d=EDa Sunday, February 26, 2012 a las 01:05:11PM -0800, Julian = Elischer escribi=F3: >=20 >> On 2/26/12 5:34 AM, Bob Bishop wrote: >>> Hi, >>>=20 >>> I'd like to hear from somebody who understands this stuff on the = relative merits of blackhole routes vs firewall drop rules for dealing = with packets from unwanted sources. I'm particularly interested in = efficiency and scalability. Thanks >>=20 >> the key is the word "from". routes can only be selected on 'TO'=20 >> (destination) where >> firewalls can select on any combination of header fields. >=20 > I understand the idea of the OP as, based on the source IP addr, he > wants to install routes that the resulting IP pkg to the source IP = goes > to "nowhere", i.e. not back to the origin IP and the 1st SYN is not > answered back to the source IP; Exactly. But would firewall drop rules be a better (more efficient) way = to do that? > matthias > --=20 > Matthias Apitz > e <guru@unixarea.de> - w http://www.unixarea.de/ > UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) > UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 >=20 -- Bob Bishop rb@gid.co.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6CD56DF5-2976-45F6-8BFE-946BA96F5902>