Date: Mon, 15 Jun 2009 14:46:48 -0700 From: Doug Hardie <bc979@lafn.org> To: freebsd-questions - <freebsd-questions@freebsd.org> Subject: pf vs null route Message-ID: <1B37C3FB-1D82-4E8D-827D-D1391373C450@lafn.org>
next in thread | raw e-mail | index | archive | help
My web server is always being attacked by people trying to guess our user's passwords. Most of the time the ids they try are not in use so there is only a log entry and a bit of packet time involved. However, eventually they are likely to guess a valid id and password. Some of our users have very weak passwords. Granted they will only be able to get to the user's personal web space, but that would be inconvenient for the user. For a long time I have been using null routes for the persistent attacks (set a route of 127.0.0.2 for their adddress in the route table). This works fine. We still get the first SYN packet, but nothing after that. I do have pf running on several of our servers for other purposes and have been thinking about replacing the null routes with a blocking table using pf. The question is which scales better? My guess based on presumed implementation techniques is that pf will scale better. I currently have a table for incoming mail that has over 100K entries and there is no noticable effect on mail processing times. Unfortunately I can't tell if that is because I also don't have any good way to determine if there were any effects. pf would certainly provide additional capabilites, but given the limited use of this server, I don't see any need for anything more. Since we provide telnet and ftp access for users to their personal web pages, I keep anything important on another server.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1B37C3FB-1D82-4E8D-827D-D1391373C450>