1 |
Tony Stohne wrote: |
2 |
|
3 |
> Yes, putting the domain/IP address in the host file works, but has the |
4 |
> negative side effect of being slower (at least if your host file is big. |
5 |
> Parsing a big hosts file slows down networking overall because of the parsing |
6 |
> process. If the file is small/short it's not a big problem). With TCP reset, |
7 |
|
8 |
My hosts file is quite short; only two rows, currently. |
9 |
|
10 |
> it's a lot quicker. If You want to block lots of ads/banner domains and/or |
11 |
> malware/porn sites it's usually more efficient to use TCP reset, within reason |
12 |
> of course... huge iptables blocks tend to slow things down as well unless You |
13 |
> use IPset (an extension of iptables). Shorewall actually supports IPset, if |
14 |
> You have those extensions compiled in Your kernel... |
15 |
> |
16 |
> IPset is a means of creating hashes for one or more address blocks or |
17 |
> addresses, which speeds things up quite a lot. |
18 |
> |
19 |
> See http://ipset.netfilter.org/ and |
20 |
> |
21 |
> http://www.shorewall.net/ipsets.html |
22 |
> |
23 |
> BTW, Gentoo supports IPsets - in Portage it's under net-firewall/ipset but |
24 |
> You have to recompile Your kernel, which may be too much work for You since |
25 |
> we're discussing one domain/IP address in this case. |
26 |
|
27 |
Nice tip! Thanks! |
28 |
|
29 |
> Have a nice Sunday :) |
30 |
|
31 |
Well, I'll be cooking meals for the coming work week so I'll be having |
32 |
fun... ;-) |
33 |
|
34 |
> I surely will as I'm watching F1 at Monza right now :) |
35 |
|
36 |
Sounds great, although not really my cup of tea. :-) |
37 |
|
38 |
|
39 |
Best regards |
40 |
|
41 |
Peter K |