1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
pk said the following on 2008-09-14 13:25: |
5 |
> Ok, good to know. I tried something simpler; putting the domain in |
6 |
> /etc/hosts pointing to 127.0.0.1 (as suggested by Neil Bothwick). But |
7 |
> I'll keep this in mind for the future. Thanks for the input! |
8 |
> |
9 |
|
10 |
Yes, putting the domain/IP address in the host file works, but has the |
11 |
negative side effect of being slower (at least if your host file is big. |
12 |
Parsing a big hosts file slows down networking overall because of the parsing |
13 |
process. If the file is small/short it's not a big problem). With TCP reset, |
14 |
it's a lot quicker. If You want to block lots of ads/banner domains and/or |
15 |
malware/porn sites it's usually more efficient to use TCP reset, within reason |
16 |
of course... huge iptables blocks tend to slow things down as well unless You |
17 |
use IPset (an extension of iptables). Shorewall actually supports IPset, if |
18 |
You have those extensions compiled in Your kernel... |
19 |
|
20 |
IPset is a means of creating hashes for one or more address blocks or |
21 |
addresses, which speeds things up quite a lot. |
22 |
|
23 |
See http://ipset.netfilter.org/ and |
24 |
|
25 |
http://www.shorewall.net/ipsets.html |
26 |
|
27 |
BTW, Gentoo supports IPsets - in Portage it's under net-firewall/ipset but |
28 |
You have to recompile Your kernel, which may be too much work for You since |
29 |
we're discussing one domain/IP address in this case. |
30 |
|
31 |
Have a nice Sunday :) |
32 |
I surely will as I'm watching F1 at Monza right now :) |
33 |
|
34 |
//Tony |
35 |
-----BEGIN PGP SIGNATURE----- |
36 |
Version: GnuPG v1.4.7 (MingW32) |
37 |
|
38 |
iD8DBQFIzQPCJDzv6DN+QUkRAuRdAKCpQKg47UfzhQvs41azzZLJ2bkYFgCgxrNC |
39 |
dm1y/uWw7uF27bLzcVw7tqY= |
40 |
=JbSy |
41 |
-----END PGP SIGNATURE----- |