[WBEL-users] Block IP Address
Bill Davidsen
davidsen@tmr.com
Tue, 04 May 2004 14:21:46 -0400
Vincent.Raffensberger@dtn.com wrote:
>
> I don't think there's a solid answer to that question. It just depends
> on the situation and your preference. Regarding portability,
> blackholing is commonplace on Sun systems.
>
> If you already have iptables/ ipchains running and need to block an
> address(s), you may as well use iptables.
> If you're not using iptables and need to block an address, a blackhole
> route is quick and easy.
>
> You can easily make it temporary with an at job:
>
> at 6am Saturday
> at> route delete -host 1.2.3.4
>
>
> *Michael Torrie <torriem@chem.byu.edu>*
> Sent by: whitebox-users-admin@beau.org
>
> 05/01/2004 04:05 PM
>
>
> To
> whitebox-users@beau.org
> cc
>
> Subject
> Re: [WBEL-users] Block IP Address
>
>
>
>
>
>
>
>
> On Fri, 2004-04-30 at 18:53, Richard Swift wrote:
> > I really appreciate the help from all. How would I go about checking
> if a
> > reject route already exists?
> >
> > When I do a man on ROUTE one of the examples is :
> > route add -net 10.0.0.0 netmask 255.0.0.0 reject
> >
> >
> > I don't want to change the state if it is already configured.
>
> Forgive my ignorance, but when should a route be rejected as apposed to
> just using iptables to drop a host or range of hosts? Portability is
> one aspect, I imagine.
It appears that the methods work differently. Using a blackhole route
will prevent the reply to the first SYN packet from being sent back. So
a SYN will come in, be processed, and then at the point where the reply
is about to be sent it is dropped. I have to test, but I suspect that
leaves the socket in SYS-RECEIVED state or some such. If you use
iptables the incoming packet is dropped (ignored) or rejected (a go-away
packet is sent back). I believe that is the lower overhead method.
When blocking a LOT of hosts, the traversal of the blocking rules can
become quite slow, relatively, since they are linear rather than hashed.
I don't remember if the route is hashed or not, it seems to me that's
it's not, but I haven't looked at that code since 2.2 or so.
I don't think the reject route is portable, routing to the loopback
address is.
--
-bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me