At 16:20 08/11/00 +0000, HUNGRY PIRANHA wrote:
>what might be a better less cpu intensive process would be to create
>static routes to the rfc1918(read it) network space with a next hop of null0;
While his seems intuitive, I don't agree.
Rejecting the packet when just received is better than executing
thousands of statements in IP input and forward functions, and searching
the routing table. Add to this that the "last route caching" mechanism will
cache
a null route, which means the last real route is removed from the acache,
which will
also reduce performances.
Moreover, The most expensive cpu is the braiinof the administrator. By blocking
those addresses at the first place, you no more need to keep'em in mind
when configuring
your routes, checking your logs, ....
>dont do this if you are running bgp or ospf.
this is another arg.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
