Re: [Sshguard-users] How do I use a custom backend .h, and other newbie Qs

[Mike B. <mi...@sk...>]

Yves Gu￿in wrote:
> Hello,
> 
> I read those articles, they are very interesting and there is a restriction about -blackhole (see man 8 route)
> 
>  Currently, routes with the RTF_BLACKHOLE flag set need to have the gate-
>      way set to an instance of the lo(4) driver, using the -iface option, for
>      the flag to have any effect; unless IP fast forwarding is enabled, in
>      which case the meaning of the flag will always be honored.
> 
> so may be you need the discard divice interface or the net.inet.ip.fastforwarding set to 1.

Not exactly; it just means that as of when that man page was written (in 
2005), there was a requirement that you do this:

'route add <destinationIP> <gatewayIP> -blackhole -iface'

rather than this:

'route add <destinationIP> <gatewayIP> -blackhole'

and you had to make sure gatewayIP was one assigned to a loopback interface.
By default, FreeBSD systems will have loopback interface device lo0 running 
and assigned to 127.0.0.1 / ::1.  So 127.0.0.1 is generally safe to use as the 
gateway IP.

The only question, then, is whether -iface (or -interface, same thing) is 
still required. It doesn't seem to be; I've been getting along fine without 
it, so I assume the bug is fixed.

Mike