From owner-freebsd-security@FreeBSD.ORG  Sun Nov 21 09:46:44 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 63ED816A4CE
	for <freebsd-security@freebsd.org>;
	Sun, 21 Nov 2004 09:46:44 +0000 (GMT)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C263343D1D
	for <freebsd-security@freebsd.org>;
	Sun, 21 Nov 2004 09:46:43 +0000 (GMT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.13.1/8.13.1) with ESMTP id iAL9kfLX020465;
	Sun, 21 Nov 2004 10:46:41 +0100 (CET)
	(envelope-from phk@critter.freebsd.dk)
To: Francisco Reyes <lists@natserv.com>
From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
In-Reply-To: Your message of "Sat, 20 Nov 2004 21:09:38 EST."
             <20041120210256.K27307@zoraida.natserv.net> 
Date: Sun, 21 Nov 2004 10:46:41 +0100
Message-ID: <20464.1101030401@critter.freebsd.dk>
Sender: phk@critter.freebsd.dk
cc: FreeBSD Security List <freebsd-security@freebsd.org>
Subject: Re: Importing into rc.firewal rules 
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Nov 2004 09:46:44 -0000

In message <20041120210256.K27307@zoraida.natserv.net>, Francisco Reyes writes:
>On Sat, 20 Nov 2004, Poul-Henning Kamp wrote:
>
>> If the list is long it may be almost as good, if not better, to use
>> blackhole routes for it.
>
>I was not familiar with the term. Looking in Google came up with a link. 
>However in that link they recommend against that method.
>
>http://tinyurl.com/5r5cl
>
>Also any link on how to implement it?

	route add -host $IP 127.0.0.1 -blackhole

>What would be the advantage of that route vs ipfw?

It's faster because the route table uses a tree for lookup whereas the
firewall is sequential.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.