[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: blocking an ip with route



On Thu, Nov 14, 2002 at 05:39:10PM +0100, rob wrote:
> I'm looking for a way to deny access from an ip with route.
> I've read the manpages and I think I'm looking for the -blackhole flag.
> Now my question; can anyone give me an example of the route command with 
> -blackhole or -reject?

route -n add -net 10.0.0.0 -netmask 255.0.0.0 -interface 127.0.0.1 -reject > /dev/null

I have 35 of these in hostname.if(5) for all IANA and rfc3330 reserved
networks. Note that this does not deny access from these reserved networks
to your machine, rather it denys your machine access to the reserved
networks. This less liberal interpretation of the Robustness Principle
from rfc1812 might be less secure but seemed to me important. Rejecting
traffic this way has the benefit of returning rejection notification
to the internal initializing client, whereas a pf drop return on the
external interface does not because when the drop rule matches, the
source address is the external interface rather than the original client.
-- 
mls