Null Routing IP Addresses in FreeBSD and OpenBSD

There comes a time you need to block a certain IP address or subnet from accessing a server of yours. I usually run a table in PF or IPTables to throw IPs in so that they are properly blocked from all services, but if you need a quick solution to stop stopping an address or subnet Null Routing is much easier.

Null routing is altering your routing table on a server to make a source IP or network have an impossible route, usually to localhost. This creates a "black hole" which simply discards packets from the specified address or subnet, instead of rejecting which would send an ICMP destination-unreachable back to the source (when applicable).

It is important to know that these routes will not survive a reboot. They can be made to surive a reboot, but it is specific to each operating system.

To null route a single IP Address:

root@dev:~ # route add -host 192.168.1.129 127.0.0.1 -blackhole
add host 192.168.1.129: gateway 127.0.0.1

Let's take a look at our routing table

root@dev:~ # netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS         xn0
10.0.0.0           link#3             UH          lo1
10.0.0.80          link#3             UH          lo1
localhost          link#1             UH          lo0
192.168.1.0/24     link#2             U           xn0
192.168.1.28       link#2             UHS         lo0
192.168.1.129      localhost          UGHSB       lo0
255.255.255.0      link#3             UH          lo1

----- snip -----

Okay we can see that route up there, let's remove the null route, and then check to make sure it is gone

root@dev:~ # route del 192.168.1.129
del host 192.168.1.129
root@dev:~ # netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS         xn0
10.0.0.0           link#3             UH          lo1
10.0.0.80          link#3             UH          lo1
localhost          link#1             UH          lo0
192.168.1.0/24     link#2             U           xn0
192.168.1.28       link#2             UHS         lo0
255.255.255.0      link#3             UH          lo1

----- snip -----

To block a subnet, use CIDR format

root@dev:~ # route add -net 192.168.99.0/24 127.0.0.1 -blackhole
add net 192.168.99.0: gateway 127.0.0.1

To make a null route static (so that it survives reboots) in FreeBSD (you should not do this, use your firewall), read the section of the FreeBSD Handbook on Static Routes. To create these add the following lines to /etc/rc.conf

static_routes="nullroute1 nullroute2"
route_nullroute1="-net 192.168.1.129 127.0.0.1 -blackhole"
route_nullroute2="-net 192.168.99.0/24 127.0.0.1 -blackhole"

To make a null route static in OpenBSD (you should not do this, use your firewall) you need to edit your interface file. If your interface is xnf0 your interface file would be /etc/hostname.xnf0, and add the following:

!route add -host 192.168.1.129 127.0.0.1 -blackhole
!route add -net 192.168.99.0/24 127.0.0.1 -blackhole
Show Comments