On 2/26/12 1:14 PM, Matthias Apitz wrote:
El día Sunday, February 26, 2012 a las 01:05:11PM -0800, Julian Elischer
escribió:
On 2/26/12 5:34 AM, Bob Bishop wrote:
Hi,
I'd like to hear from somebody who understands this stuff on the relative
merits of blackhole routes vs firewall drop rules for dealing with packets from
unwanted sources. I'm particularly interested in efficiency and scalability.
Thanks
the key is the word "from". routes can only be selected on 'TO'
(destination) where
firewalls can select on any combination of header fields.
I understand the idea of the OP as, based on the source IP addr, he
wants to install routes that the resulting IP pkg to the source IP goes
to "nowhere", i.e. not back to the origin IP and the 1st SYN is not
answered back to the source IP;
yes but that is wasteful because you have used resources answering the
incoming packet.
it would be better to have blocked it in the first place.
matthias
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
