2014-04-18 10:23 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: > 2014-04-17 19:27 GMT+02:00 Tristan Pilat <tristan.pi...@gmail.com>: > >> >> >> On 17 avril 2014 19:02:14 CEST, Claudio Jeker <cje...@diehard.n-r-g.com> >> wrote: >> >You can't use rtlabels for matching the source, at least I think it >> >does >> >not work. I would try to use the "set pftable dos" in bgpd and >> >"block quick drop from <dos>" in pf. >> >> Ok i will try this tomorrow thanks. But if it does not work. How can I >> set up blockhole based on source address as described in RFC5635 with >> OpenBSD ? >> -- >> Tristan >> > > Me again. > > This slide from a presentation by Henning Brauer is very interesting... > http://quigon.bsws.de/papers/2014/asiabsdcon/mgp00031.html > > i'm keep digging :-) > -- > Tristan >
Thanks Claudio, I just tested it and it works with "set pftable dos" in bgpd.conf and "block drop quick from <dos>" in pf.conf but there still a small thing. In my lab i tried this, sending icmp, and it works only if i stop the ping command and i relaunch it. I mean, if i'm pinging an IP address and set the "bgpctl network add..." it don't hang ping. How can I stop the flow immediatly with PF ? -- Tristan
