From owner-freebsd-pf@FreeBSD.ORG Sun May 25 08:49:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE138106566B for ; Sun, 25 May 2008 08:49:35 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id AA48F8FC20 for ; Sun, 25 May 2008 08:49:34 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [202.108.54.204]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id 5D92C2844D for ; Sun, 25 May 2008 16:49:30 +0800 (CST) Received: from localhost (tarsier.geekcn.org [202.108.54.204]) by tarsier.geekcn.org (Postfix) with ESMTP id C70CBEB9C1B; Sun, 25 May 2008 16:49:29 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([202.108.54.204]) by localhost (mail.geekcn.org [202.108.54.204]) (amavisd-new, port 10024) with ESMTP id q4H0-T-aTHlT; Sun, 25 May 2008 16:49:23 +0800 (CST) Received: from charlie.delphij.net (c-69-181-135-56.hsd1.ca.comcast.net [69.181.135.56]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 95BD7EB9BC0; Sun, 25 May 2008 16:49:21 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=HbyD8VO2gnNPsTBNNngMZIXlQAAghqGE7LjmESaPDTtB4ZkHDfHtnIbXKF/ilaQIl oFOO94A/D3/8r9RDhs3Ew== Message-ID: <4839280B.3000704@delphij.net> Date: Sun, 25 May 2008 01:49:15 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Ighighi Ighighi References: In-Reply-To: X-Enigmail-Version: 0.95.6 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: blackhole in PF possible? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 08:49:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ighighi Ighighi wrote: | blackhole(4) is hardly a feature if it applies to loopback interfaces | as well. Its intended functionality | ("to slow down anyone who is port scanning a system", according to the | manpage) also slows down | internal services because those TCP RST's and ICMP Port Unreachable's | are never seen. | | Is there a way to get the same functionality in PF so I can restrict | those packets to external interfaces ? | | Thanks in advance, skip on lo0? - -- ** Help China's quake relief at http://www.redcross.org.cn/ |>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkg5KAoACgkQi+vbBBjt66ArMwCdHenJHci+folJJjVjvNcajyXl MjYAoI38do4rJt9U5JG5R96nYd6vNqmA =5iuk -----END PGP SIGNATURE-----