| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
pk said the following on 2008-09-14 13:25: |
| 5 |
> Ok, good to know. I tried something simpler; putting the domain in |
| 6 |
> /etc/hosts pointing to 127.0.0.1 (as suggested by Neil Bothwick). But |
| 7 |
> I'll keep this in mind for the future. Thanks for the input! |
| 8 |
> |
| 9 |
|
| 10 |
Yes, putting the domain/IP address in the host file works, but has the |
| 11 |
negative side effect of being slower (at least if your host file is big. |
| 12 |
Parsing a big hosts file slows down networking overall because of the parsing |
| 13 |
process. If the file is small/short it's not a big problem). With TCP reset, |
| 14 |
it's a lot quicker. If You want to block lots of ads/banner domains and/or |
| 15 |
malware/porn sites it's usually more efficient to use TCP reset, within reason |
| 16 |
of course... huge iptables blocks tend to slow things down as well unless You |
| 17 |
use IPset (an extension of iptables). Shorewall actually supports IPset, if |
| 18 |
You have those extensions compiled in Your kernel... |
| 19 |
|
| 20 |
IPset is a means of creating hashes for one or more address blocks or |
| 21 |
addresses, which speeds things up quite a lot. |
| 22 |
|
| 23 |
See http://ipset.netfilter.org/ and |
| 24 |
|
| 25 |
http://www.shorewall.net/ipsets.html |
| 26 |
|
| 27 |
BTW, Gentoo supports IPsets - in Portage it's under net-firewall/ipset but |
| 28 |
You have to recompile Your kernel, which may be too much work for You since |
| 29 |
we're discussing one domain/IP address in this case. |
| 30 |
|
| 31 |
Have a nice Sunday :) |
| 32 |
I surely will as I'm watching F1 at Monza right now :) |
| 33 |
|
| 34 |
//Tony |
| 35 |
-----BEGIN PGP SIGNATURE----- |
| 36 |
Version: GnuPG v1.4.7 (MingW32) |
| 37 |
|
| 38 |
iD8DBQFIzQPCJDzv6DN+QUkRAuRdAKCpQKg47UfzhQvs41azzZLJ2bkYFgCgxrNC |
| 39 |
dm1y/uWw7uF27bLzcVw7tqY= |
| 40 |
=JbSy |
| 41 |
-----END PGP SIGNATURE----- |
Archives