| 1 |
Tony Stohne wrote: |
| 2 |
|
| 3 |
> Yes, putting the domain/IP address in the host file works, but has the |
| 4 |
> negative side effect of being slower (at least if your host file is big. |
| 5 |
> Parsing a big hosts file slows down networking overall because of the parsing |
| 6 |
> process. If the file is small/short it's not a big problem). With TCP reset, |
| 7 |
|
| 8 |
My hosts file is quite short; only two rows, currently. |
| 9 |
|
| 10 |
> it's a lot quicker. If You want to block lots of ads/banner domains and/or |
| 11 |
> malware/porn sites it's usually more efficient to use TCP reset, within reason |
| 12 |
> of course... huge iptables blocks tend to slow things down as well unless You |
| 13 |
> use IPset (an extension of iptables). Shorewall actually supports IPset, if |
| 14 |
> You have those extensions compiled in Your kernel... |
| 15 |
> |
| 16 |
> IPset is a means of creating hashes for one or more address blocks or |
| 17 |
> addresses, which speeds things up quite a lot. |
| 18 |
> |
| 19 |
> See http://ipset.netfilter.org/ and |
| 20 |
> |
| 21 |
> http://www.shorewall.net/ipsets.html |
| 22 |
> |
| 23 |
> BTW, Gentoo supports IPsets - in Portage it's under net-firewall/ipset but |
| 24 |
> You have to recompile Your kernel, which may be too much work for You since |
| 25 |
> we're discussing one domain/IP address in this case. |
| 26 |
|
| 27 |
Nice tip! Thanks! |
| 28 |
|
| 29 |
> Have a nice Sunday :) |
| 30 |
|
| 31 |
Well, I'll be cooking meals for the coming work week so I'll be having |
| 32 |
fun... ;-) |
| 33 |
|
| 34 |
> I surely will as I'm watching F1 at Monza right now :) |
| 35 |
|
| 36 |
Sounds great, although not really my cup of tea. :-) |
| 37 |
|
| 38 |
|
| 39 |
Best regards |
| 40 |
|
| 41 |
Peter K |
Archives