[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Making, drinking tea and reading an opus magnum from Daniel Hartmeier:
> On Sun, Dec 08, 2002 at 10:20:18AM -0300, Alejandro G. Belluscio wrote:
> > I don't have an exact understanding of the no-route option. At least
> > in the following sense: which exactly means to be non routable?
> no-route is only meaningful on firewalls that have no default gateway
> configured. There, it means all addresses that are not reachable through
> a configured route (part of a network the firewall is connected to).
> In other words, 'no-route' means 'do a routing table lookup for that
> destination address, and if you can't find one, the address matches'.
not destination address.
block in on $ext_if from no-route to any
for each incoming packet, it's source address is checked upon
the routing table. if there is no route back to the source
the packet is matched. this is created w/ the assumption there
is no assymetric multi-gateway routing is set up, such
that either (or one) router is ready to handle all of the
traffic (has full routing table).
the use of no-route in the "to" part of the rule does not make
much of a sense otherwise, except, again, for assymetric routing,
remote packet logging, etc.
> If you have a default route, no address is matched by 'no-route', as any
> address is reachable through the default gateway. As most people will
> have a default route, no-route is kind of an obscure feature.
> There's no relation to private address space like 10.0.0.0/8, you'll
> still have to filter that with $NoRouteIPs or similar, as you mentioned.
in case of the full routing table separate filtering for
the non-routable addresses is not really needed, except
for debugging and some cases reliability reasons.
paranoic mickey (my employers have changed but, the name has remained)