Date: Sun, 25 May 2008 15:00:09 +0100 From: "James Seward" <jamesoff@gmail.com> To: "Ighighi Ighighi" <ighighi@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: blackhole in PF possible? Message-ID: <720051dc0805250700y54fa58b7yd63b279af177b8bb@mail.gmail.com> In-Reply-To: <de5dfb5a0805250114m5f141e6ek5dcf83d916bc206f@mail.gmail.com> References: <de5dfb5a0805250114m5f141e6ek5dcf83d916bc206f@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, May 25, 2008 at 9:14 AM, Ighighi Ighighi <ighighi@gmail.com> wrote:
> blackhole(4) is hardly a feature if it applies to loopback interfaces
> as well. Its intended functionality
> ("to slow down anyone who is port scanning a system", according to the
> manpage) also slows down
> internal services because those TCP RST's and ICMP Port Unreachable's
> are never seen.
>
> Is there a way to get the same functionality in PF so I can restrict
> those packets to external interfaces ?
Have a look at "set block-policy" and "block return" in the man page
for pf.conf.
/JMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?720051dc0805250700y54fa58b7yd63b279af177b8bb>