BSD "route add" and pfSense



  • This note describes something I have done with Linux firewalls (iptables / firewalld) and asks how or if that applies to pfSense or BSD. I hope it won't be considered off-topic.

    I run some websites and reflectors as a pro bono project for some public-service non-profit organizations. There is nothing on the websites or the reflectors that is of any interest outside of the USA and Canada; however we get thousands of hits a day from elsewhere, mostly Asia but not exclusively, trying to probe for vulnerabilities and break in. I run iptables / firewalld on the servers (all of which I'm working to replace with one pfSense firewall) but I also have a /etc/rc.d/rc.local with a few hundred instances of this:

    /sbin/route add -net AAA.BBB.X.Y/nn reject

    ... to cover subnets or "/sbin/route add -host" to lock out specific abusive IPs.

    The objective... and I think this is how it works (let me know if not)... is to brute-force lock out all of the networks that have been abusive in the past (meaning all of APNIC, RIPE, AFRNIC, LACNIC, and much of Digital Ocean) before it ever gets to the firewall.

    My questions are... (1) do I save anything in performance by doing it this way rather than letting the firewall handle it all?, and (2) if (1) == true, then is there a way to do the same thing in BSD (I read the FreeBSD route man page and spent some time googling and couldn't find one) to pre-filter packets before they hit pfSense, and is it worthwhile to do that? "route add -net xxxx/x reject" doesn't work in BSD and I haven't been able to find an equivalent.

    Thanks...


  • Rebel Alliance Developer Netgate

    For the route table to be consulted it would have to pass through the firewall. It's better to drop the traffic at the firewall.

    And using -reject is bad because that sends back an ICMP unreachable. If it's a malicious network, you don't want to send anything back based on their requests. What you want is -blackhole.

    And you can still add those on BSD if you want, but you have to supply a gateway:

    route add -blackhole -net x.x.x.y/zz 127.0.0.1
    

    Or use the GUI and pick Null4 or Null6 as the gateway.

    I'd still just block it in firewall rules and forget about it though.


Log in to reply