These special routes can be deployed to install blocking routes that result in route lookup failure. BSD Unices differentiate between -reject (emit an ICMP unreachable when matched) and -blackhole (silently discard). An example is presented in Example 8-6. This is similar to deny/reject settings of modern firewalls.
[root@castor:~#] route add -net 10.0.0.0/8 192.168.2.254 ?reject [root@castor:~#] route add -net 10.0.0.0/8 192.168.2.254 ?blackhole
Similar flags exist for the Linux ip route command (prohibit/blackhole/unreachable), as demonstrated in Example 8-7. If you requires an interface packet sink, you can use the BSD ds0 interface (pseudo-device disc) or the Linux dummy0 interface (ifconfig dummy0).
[root@callisto:~#] route add -net 10.0.0.0 netmask 255.0.0.0 reject [root@callisto:~#] ip route add prohibit 172.16.1.0/24 [root@callisto:~#] ip route add blackhole 172.16.2.0/24 [root@callisto:~#] ip route add unreachable 172.16.3.0/24 [root@callisto:~#] netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 172.16.2.0 0.0.0.0 255.255.255.0 U 40 0 0 * 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0 172.16.1.0 - 255.255.255.0 ! - - - - 172.16.3.0 - 255.255.255.0 ! - - - - 192.168.14.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 10.0.0.0 - 255.0.0.0 ! - - - - 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 192.168.1.254 0.0.0.0 UG 40 0 0 eth1