[WBEL-users] Block IP Address

Bill Davidsen davidsen@tmr.com
Tue, 04 May 2004 14:21:46 -0400 

Vincent.Raffensberger@dtn.com wrote:
> 
> I don't think there's a solid answer to that question.  It just depends 
> on the situation and your preference.  Regarding portability, 
> blackholing is commonplace on Sun systems.
> 
> If you already have iptables/ ipchains running and need to block an 
> address(s), you may as well use iptables.
> If you're not using iptables and need to block an address, a blackhole 
> route is quick and easy.
> 
> You can easily make it temporary with an at job:
> 
> at 6am Saturday
> at> route delete -host 1.2.3.4
> 
> 
> *Michael Torrie <torriem@chem.byu.edu>*
> Sent by: whitebox-users-admin@beau.org
> 
> 05/01/2004 04:05 PM
> 
> 	
> To
> 	whitebox-users@beau.org
> cc
> 	
> Subject
> 	Re: [WBEL-users] Block IP Address
> 
> 
> 	
> 
> 
> 
> 
> 
> On Fri, 2004-04-30 at 18:53, Richard Swift wrote:
>  > I really appreciate the help from all.  How would I go about checking 
> if a
>  > reject route already exists?
>  >
>  > When I do a man on ROUTE one of the examples is :
>  > route add -net 10.0.0.0 netmask 255.0.0.0 reject
>  >
>  >
>  > I don't want to change the state if it is already configured.
> 
> Forgive my ignorance, but when should a route be rejected as apposed to
> just using iptables to drop a host or range of hosts?  Portability is
> one aspect, I imagine.

It appears that the methods work differently. Using a blackhole route 
will prevent the reply to the first SYN packet from being sent back. So 
a SYN will come in, be processed, and then at the point where the reply 
is about to be sent it is dropped. I have to test, but I suspect that 
leaves the socket in SYS-RECEIVED state or some such. If you use 
iptables the incoming packet is dropped (ignored) or rejected (a go-away 
packet is sent back). I believe that is the lower overhead method.

When blocking a LOT of hosts, the traversal of the blocking rules can 
become quite slow, relatively, since they are linear rather than hashed. 
I don't remember if the route is hashed or not, it seems to me that's 
it's not, but I haven't looked at that code since 2.2 or so.

I don't think the reject route is portable, routing to the loopback 
address is.

-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me