1. Home
  2. Networking
  3. Integrated cisco and unix network architectures

Blackholes and Reject/Prohibit Routes

These special routes can be deployed to install blocking routes that result in route lookup failure. BSD Unices differentiate between -reject (emit an ICMP unreachable when matched) and -blackhole (silently discard). An example is presented in Example 8-6. This is similar to deny/reject settings of modern firewalls.

Example 8-6. FreeBSD reject/blackhole Static Routing Entries

[root@castor:~#] route add -net 10.0.0.0/8 192.168.2.254 ?reject

[root@castor:~#] route add -net 10.0.0.0/8 192.168.2.254 ?blackhole

Similar flags exist for the Linux ip route command (prohibit/blackhole/unreachable), as demonstrated in Example 8-7. If you requires an interface packet sink, you can use the BSD ds0 interface (pseudo-device disc) or the Linux dummy0 interface (ifconfig dummy0).

Example 8-7. Linux prohibit/blackhole/unreachable Static Routing Entries

[root@callisto:~#] route add -net 10.0.0.0 netmask 255.0.0.0 reject

[root@callisto:~#] ip route add prohibit 172.16.1.0/24

[root@callisto:~#] ip route add blackhole 172.16.2.0/24

[root@callisto:~#] ip route add unreachable 172.16.3.0/24



[root@callisto:~#] netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

172.16.2.0      0.0.0.0         255.255.255.0   U        40 0          0 *

192.168.1.0     0.0.0.0         255.255.255.0   U        40 0          0 eth1

192.168.1.0     0.0.0.0         255.255.255.0   U        40 0          0 ipsec0

172.16.1.0      -               255.255.255.0   !         - -          - -

172.16.3.0      -               255.255.255.0   !         - -          - -

192.168.14.0    0.0.0.0         255.255.255.0   U        40 0          0 eth0

10.0.0.0        -               255.0.0.0       !         - -          - -

127.0.0.0       0.0.0.0         255.0.0.0       U        40 0          0 lo

0.0.0.0         192.168.1.254   0.0.0.0         UG       40 0          0 eth1



    		Command Syntax Conventions
    		Chapter 1. Operating System Issues and Features-The Big Picture
    		Chapter 2. User-Space Routing Software
    		Chapter 3. Kernel Requirements for a Full-Featured Lab
    		Chapter 4. Gateway WAN/Metro Interfaces
    		Chapter 5. Ethernet and VLANs
    		Chapter 6. The Analyzer Toolbox, DHCP, and CDP
    		Chapter 7. The UNIX Routing and ARP Tables
    		Chapter 8. Static Routing Concepts
    		Administrative Distance and Metric
    		Classful Routing, VLSM, and CIDR
    		Default Gateways, Default Routes, and Route(s) of Last Resort
    		Route Caches, Routing Tables, Forwarding Tables, and the ISO Context
    		The Near and Far End of a Link
    		The route Command-Adding and Removing Routes
    		Route Cloning
    		Blackholes and Reject/Prohibit Routes
    		Floating Static Routes
    		Equal-Cost Multi-Path (ECMP) Routing
    		Lab 8-1: Interface Metrics, Floating Static Routes, and Multiple Equal-Cost Routes (ECMP)
    		Linux TEQL (True Link Equalizer)
    		Adding Static Routes via Routing Daemons
    		Summary
    		Recommended Reading
    		Endnotes
    		Chapter 9. Dynamic Routing Protocols-Interior Gateway Protocols
    		Chapter 10. ISP Connectivity with BGPv4-An Exterior Gateway Path-Vector Routing Protocol for Interdomain Routing
    		Chapter 11. VPN Technologies, Tunnel Interfaces, and Architectures
    		Chapter 12. Designing for High Availability
    		Chapter 13. Policy Routing, Bandwidth Management, and QoS
    		Chapter 14. Multicast Architectures
    		Chapter 15. Network Address Translation
    		Appendix A. UNIX Kernel Configuration Files
    		Appendix B. The FreeBSD Netgraph Facility