Date: Wed, 28 May 2003 15:50:37 -0700 (PDT) From: Neelkanth Natu <neelnatu@yahoo.com> To: "Crist J. Clark" <cjc@freebsd.org>, Paul Chvostek <paul@it.ca> Cc: freebsd-net@freebsd.org Subject: Re: ipfw rules vs routes to localhost? Message-ID: <20030528225037.91756.qmail@web14206.mail.yahoo.com> In-Reply-To: <20030528210359.GA3907@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--- "Crist J. Clark" <crist.clark@attbi.com> wrote: > On Wed, May 28, 2003 at 12:51:54AM -0400, Paul Chvostek wrote: > > > > I'm considering: > > > > ipfw add N deny ip from a.b.c.d to any > > > > vs. > > > > route add -host a.b.c.d localhost If you do decide to go with the "route-to-localhost" approach, you might want to add the "-blackhole" modifier so that the packets are dropped in looutput(). Otherwise they would unnecessarily go up the stack before being dropped in ip_input(). best Neel > > > > I need to block traffic to a number of IP addresses. I thought I'd use > > ipfw to avoid things like UDP DNS lookups that might come in ant take up > > resources while my system tried to respond, but it's been suggested on > > another list that setting routes to localhost will use less resources. > > Ideally, I'd like to be able to block a few tens of thousands of IPs. > > > > What's the scoop? > > Someone is assumng the old rule for blocking traffic on a (Cisco) > router applies to the FreeBSD stack. It doesn't necessarily apply. > > First off, blocking it in ipfw rules is obviously more efficient if > you are running ipfw(8) already. > > If you wouldn't be otherwise running ipfw(8) at all, there _may_ be > some gain. Packets blocked by ipfw(8) get dropped very early in > ip_input(), which is good, but _all_ packets have to go through > ipfw(8), and we usually assume the majority of packets are "good" > ones. So, the second case, adding the route, doesn't add much overhead > to the processing of good packets, but does greatly increase the > resources used before you toss out bad ones. You may end up using > fewer resources if there are only a few bad ones relative to the > good. > > IMHO, if this machine is a firewall, use the right tool for > firewalling, ipfw(8). Are you short on resources in the first place? > If you are really pushing this machine's routing capabilities to its > max, you might be in need of an OS and hardware designed solely for > routing. Tinkering with ipfw(8) versus blackhole routes probably is > not the way to solve the problem. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030528225037.91756.qmail>