Re: ipfw rules vs routes to localhost?
From: Neelkanth Natu (neelnatu_at_yahoo.com)
Date: 05/29/03
- Previous message: Julian Elischer: "Re: A problem with too many network interfaces"
- In reply to: Crist J. Clark: "Re: ipfw rules vs routes to localhost?"
- Next in thread: _at_babolo.ru: "Re: ipfw rules vs routes to localhost?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 May 2003 15:50:37 -0700 (PDT) To: "Crist J. Clark" <cjc@freebsd.org>, Paul Chvostek <paul@it.ca>
--- "Crist J. Clark" <crist.clark@attbi.com> wrote:
> On Wed, May 28, 2003 at 12:51:54AM -0400, Paul Chvostek wrote:
> >
> > I'm considering:
> >
> > ipfw add N deny ip from a.b.c.d to any
> >
> > vs.
> >
> > route add -host a.b.c.d localhost
If you do decide to go with the "route-to-localhost" approach, you might
want to add the "-blackhole" modifier so that the packets are dropped
in looutput(). Otherwise they would unnecessarily go up the stack
before being dropped in ip_input().
best
Neel
> >
> > I need to block traffic to a number of IP addresses. I thought I'd use
> > ipfw to avoid things like UDP DNS lookups that might come in ant take up
> > resources while my system tried to respond, but it's been suggested on
> > another list that setting routes to localhost will use less resources.
> > Ideally, I'd like to be able to block a few tens of thousands of IPs.
> >
> > What's the scoop?
>
> Someone is assumng the old rule for blocking traffic on a (Cisco)
> router applies to the FreeBSD stack. It doesn't necessarily apply.
>
> First off, blocking it in ipfw rules is obviously more efficient if
> you are running ipfw(8) already.
>
> If you wouldn't be otherwise running ipfw(8) at all, there _may_ be
> some gain. Packets blocked by ipfw(8) get dropped very early in
> ip_input(), which is good, but _all_ packets have to go through
> ipfw(8), and we usually assume the majority of packets are "good"
> ones. So, the second case, adding the route, doesn't add much overhead
> to the processing of good packets, but does greatly increase the
> resources used before you toss out bad ones. You may end up using
> fewer resources if there are only a few bad ones relative to the
> good.
>
> IMHO, if this machine is a firewall, use the right tool for
> firewalling, ipfw(8). Are you short on resources in the first place?
> If you are really pushing this machine's routing capabilities to its
> max, you might be in need of an OS and hardware designed solely for
> routing. Tinkering with ipfw(8) versus blackhole routes probably is
> not the way to solve the problem.
> --
> Crist J. Clark | cjclark@alum.mit.edu
> | cjclark@jhu.edu
> http://people.freebsd.org/~cjc/ | cjc@freebsd.org
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Julian Elischer: "Re: A problem with too many network interfaces"
- In reply to: Crist J. Clark: "Re: ipfw rules vs routes to localhost?"
- Next in thread: _at_babolo.ru: "Re: ipfw rules vs routes to localhost?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
