Everyone:
I've got an application in which I must block incoming TCP
connections to a FreeBSD server from a potentially large list of IP
addresses. Using IPFW is not a very efficient way to accomplish
this, because it must do a linear search of a list (either one
address per rule or an "or" list in a rule) and this could slow
down every packet entering the machine dramatically.
Could entering blackhole routes into the routing table possibly be
more efficient? (It would allow SYNs to come in, but with SYN
cookies enabled there'd be almost no overhead and the SYN-ACK would
never make it back to the center.) Is there any other mechanism I
should be looking at (e.g. a custom "divert" filter for SYNs)?
--Brett Glass
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
