[Techtalk] when to blackhole routes?

Doc Nielsen docnielsen at gmail.com
Tue Apr 17 00:31:52 UTC 2007 

A blackhole is the el-cheapo way of firewalling.
It doesn't prevent packets from getting in, it just prevents you from
sending packets to the host. And if you are behind a router with a
blackhole line in the routing table, it prevents users behind the
router as well.
I would never use a null-route, and i see no real use for it. IMO it
doesn't make sense now that iptables exists. If you however are on a
(cisco or other) hardware router, a null-route may be your only option
of firewalling, to keep someone in or out, and then using it there
would make perfect sense. But using a hardware firewall might be a
better option.

All internet routers (should) have a default blackhole policy
regarding RFC1918 adresses, so there should be no way your packets
from your local lan would ever get beyond first hop.
If you wish to be sure, three simple drop lines in your iptables
output chain should solve this completely.

iptables -A OUTPUT -o ethX -d 192.168.0.0/16  -j DROP
iptables -A OUTPUT -o ethX -d 172.16.0.0/12    -j DROP
iptables -A OUTPUT -o ethX -d 10.0.0.0/8          -j DROP

Where ethX is the interface to the outside (untrusted) network/internet.


-Doc

On 4/17/07, Carla Schroder <carla at bratgrrl.com> wrote:
> Under what circumstances does it make sense to blackhole routes? An obvious
> example is blocking spammers or other pests, like out-of-control web spiders.
> What about blocking RFC 1918 addresses entering or leaving your network with
> routing commands instead of iptables rules?
>
> What else?
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Carla Schroder
> Linux geek and random computer tamer
> check out my Linux Cookbook!
> http://www.oreilly.com/catalog/linuxckbk/
> best book for sysadmins and power users
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://linuxchix.org/mailman/listinfo/techtalk
>


-- 
No trees were killed in the sending of this message.
However, a large number of electrons were terribly inconvenienced

More information about the Techtalk mailing list