Date: Thu, 29 May 2003 18:12:49 -0700 (PDT) From: Neelkanth Natu <neelnatu@yahoo.com> To: "."@babolo.ru, Paul Chvostek <paul@it.ca> Cc: freebsd-net@freebsd.org Subject: Re: ipfw rules vs routes to localhost? Message-ID: <20030530011249.96101.qmail@web14203.mail.yahoo.com> In-Reply-To: <1054246787.649875.6873.nullmailer@cicuta.babolo.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--- .@babolo.ru wrote: > > I'm considering: > > > > ipfw add N deny ip from a.b.c.d to any > > > > vs. > > > > route add -host a.b.c.d localhost > > > > I need to block traffic to a number of IP addresses. I thought I'd use > > ipfw to avoid things like UDP DNS lookups that might come in ant take up > > resources while my system tried to respond, but it's been suggested on > > another list that setting routes to localhost will use less resources. > > Ideally, I'd like to be able to block a few tens of thousands of IPs. > > > > What's the scoop? > ipfw with huge list works slow. > Dont try huge route tables. > > use in kernel: > pseudo-device disc #Discard device (ds0, ds1, etc) > > and > ifconfig ds0 inet 0.0.0.1/32 (or else) > route add -host a.b.c.d 0.0.0.1 > instead of localhost An advantage of using "disc" is that you can monitor interface counters and use tcpdump to see the discarded traffic. A blackhole route to the loopback interface does not offer you this luxury. best Neel __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030530011249.96101.qmail>