On Tue Jul 12, 2005 at 09:51:35PM -0700, Jeremy C. Reed wrote:
> I want to use route -blackhole to silently discard packets.
> 
> I always used 127.0.0.1 as the gateway.
> 
> But netstat shows me I still have packets transferred.
> 
> I realized I was routing on wrong interface.
> 
> Please share your examples on how you use route -blackhole (or -reject).
> 
> Or share your thoughts on why I should use a packet filter instead.
> 
> Thanks!


In my experience a "null route" only affects return packets, meaning the 
SYN was sent to your system, and it wants to respond but you routed the
host or network so your packets don't leave the box.  Because there was
no response, the host will attempt a couple or more times to connect.

That could be why you see the "Use" go up.  -reject sounds like it might
give the tcp reset, but in use, and as I see in its manpage, it gives
an icmp unreachable.  So the behavior you get with route appears similar
either way, like that of firewalling.

I prefer to give resets for tcp and block icmp or udp via ipfilter if 
possible.  Either method is fine if you are trying to protect an
application, though I don't like attempted sockets piling up if I'm
denying or if the network normally receives a lot of traffic.


-- 
Courtney R. Spencer