Menu
▾
▴
Re: [Sshguard-users] How do I use a custom backend .h, and other newbie Qs
|
From: Yves G. <yve...@ya...> - 2008-07-09 18:10:28
|
Hello, I read those articles, they are very interesting and there is a restriction about -blackhole (see man 8 route) Currently, routes with the RTF_BLACKHOLE flag set need to have the gate- way set to an instance of the lo(4) driver, using the -iface option, for the flag to have any effect; unless IP fast forwarding is enabled, in which case the meaning of the flag will always be honored. so may be you need the discard divice interface or the net.inet.ip.fastforwarding set to 1. Yves Guerin --- En date de : Lun 7.7.08, Mike Brown <mi...@sk...> a écrit : De: Mike Brown <mi...@sk...> Objet: Re: [Sshguard-users] How do I use a custom backend .h, and other newbie Qs À: ssh...@li... Date: Lundi 7 Juillet 2008, 23h03 Mij wrote: > > On my FreeBSD system, I've been using route(4) to manually manipulate my > > routing tables, setting up blackhole routes for IPs from which attacks > > originate. This works much more efficiently than ipfw, and very thoroughly > > blocks all communication with the compromised hosts. > > thanks, in general I appreciate contributions and customization so I look > fwd to include this into the trunk as soon as it becomes a convenient > solution. > > In which circumstances does this work more efficiently than ipfw or another > firewall? I consider quite negligible the load of rejecting connections: > what is the load at which you see this improvement? Thanks for replying. You ask good questions. I must admit, I've done no research of my own into this; I'm just relying entirely on the info in this message: http://lists.freebsd.org/pipermail/freebsd-questions/2005-July/092090.html (quoting the OP): "This is executed in the IP stack and is faster than in the firewall when you have over 20 of those special 'deny this IP address' rules in the firewall." A little Googling shows that someone else asked about the technique here (a couple years earlier): http://osdir.com/ml/os.freebsd.devel.net/2003-05/msg00168.html Opinions on efficiency differed but were inconclusive. This reply offered another route-based approach: http://osdir.com/ml/os.freebsd.devel.net/2003-05/msg00225.html (rather than routing to localhost with the 'blackhole' option, route to a specially configured pseudo-device with the same functionality) > A benefit that I see is that there is no dependency on specific firewalls > anymore. A drawback is that routing tables are not meant for this, so it > might be tricky to manage sshguard rules and avoid messing up with "manual" > ones. If you're interested in contributing this, please have a look at the > question of the portability across systems different from linux. The solution seems to rely on features/efficiencies of FreeBSD, but I don't know anything about Linux's TCP/IP stack, so maybe the situation there is similar. I'm not qualified to judge. (I'll respond to the rest later) Thanks again, -Mike ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Sshguard-users mailing list Ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr |
