[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: o
From: Julian Elischer <julian () freebsd ! org>
Date: 2012-02-26 22:25:15
Message-ID: 4F4AB14B.5000601 () freebsd ! org
[Download RAW message or body]
On 2/26/12 1:14 PM, Matthias Apitz wrote:
> El día Sunday, February 26, 2012 a las 01:05:11PM -0800, Julian Elischer escribió:
>
> > On 2/26/12 5:34 AM, Bob Bishop wrote:
> > > Hi,
> > >
> > > I'd like to hear from somebody who understands this stuff on the relative \
> > > merits of blackhole routes vs firewall drop rules for dealing with packets from \
> > > unwanted sources. I'm particularly interested in efficiency and scalability. \
> > > Thanks
> > the key is the word "from". routes can only be selected on 'TO'
> > (destination) where
> > firewalls can select on any combination of header fields.
> I understand the idea of the OP as, based on the source IP addr, he
> wants to install routes that the resulting IP pkg to the source IP goes
> to "nowhere", i.e. not back to the origin IP and the 1st SYN is not
> answered back to the source IP;
yes but that is wasteful because you have used resources answering the
incoming packet.
it would be better to have blocked it in the first place.
> matthias
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic