On 26 Feb 2012, at 21:14, Matthias Apitz wrote: > El día Sunday, February 26, 2012 a las 01:05:11PM -0800, Julian Elischer > escribió: > >> On 2/26/12 5:34 AM, Bob Bishop wrote: >>> Hi, >>> >>> I'd like to hear from somebody who understands this stuff on the relative >>> merits of blackhole routes vs firewall drop rules for dealing with packets >>> from unwanted sources. I'm particularly interested in efficiency and >>> scalability. Thanks >> >> the key is the word "from". routes can only be selected on 'TO' >> (destination) where >> firewalls can select on any combination of header fields. > > I understand the idea of the OP as, based on the source IP addr, he > wants to install routes that the resulting IP pkg to the source IP goes > to "nowhere", i.e. not back to the origin IP and the 1st SYN is not > answered back to the source IP;
Exactly. But would firewall drop rules be a better (more efficient) way to do that? > matthias > -- > Matthias Apitz > e <g...@unixarea.de> - w http://www.unixarea.de/ > UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) > UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 > -- Bob Bishop r...@gid.co.uk _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
