From owner-freebsd-questions@FreeBSD.ORG Mon Jun 15 21:46:49 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE4991065679 for ; Mon, 15 Jun 2009 21:46:49 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [206.117.18.8]) by mx1.freebsd.org (Postfix) with ESMTP id BC94F8FC33 for ; Mon, 15 Jun 2009 21:46:49 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from [10.0.1.4] (pool-71-109-162-173.lsanca.dsl-w.verizon.net [71.109.162.173]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id n5FLknlt064429 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Mon, 15 Jun 2009 14:46:49 -0700 (PDT) (envelope-from bc979@lafn.org) Message-Id: <1B37C3FB-1D82-4E8D-827D-D1391373C450@lafn.org> From: Doug Hardie To: freebsd-questions - Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Mon, 15 Jun 2009 14:46:48 -0700 X-Mailer: Apple Mail (2.935.3) X-Virus-Scanned: clamav-milter 0.95.1 at zoom.lafn.org X-Virus-Status: Clean Subject: pf vs null route X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jun 2009 21:46:51 -0000 My web server is always being attacked by people trying to guess our user's passwords. Most of the time the ids they try are not in use so there is only a log entry and a bit of packet time involved. However, eventually they are likely to guess a valid id and password. Some of our users have very weak passwords. Granted they will only be able to get to the user's personal web space, but that would be inconvenient for the user. For a long time I have been using null routes for the persistent attacks (set a route of 127.0.0.2 for their adddress in the route table). This works fine. We still get the first SYN packet, but nothing after that. I do have pf running on several of our servers for other purposes and have been thinking about replacing the null routes with a blocking table using pf. The question is which scales better? My guess based on presumed implementation techniques is that pf will scale better. I currently have a table for incoming mail that has over 100K entries and there is no noticable effect on mail processing times. Unfortunately I can't tell if that is because I also don't have any good way to determine if there were any effects. pf would certainly provide additional capabilites, but given the limited use of this server, I don't see any need for anything more. Since we provide telnet and ftp access for users to their personal web pages, I keep anything important on another server.