Dear list followers, as promised in the IPFire community portal and as the subject of this mail already suggested, I want to start the discussion about where a possible "filtering" mechanism could be implemented.
The main goal of this process should be to collect various locations where such a feature could be hooked in, determine their pro and cons and hopefully find the best solution for our needs. Please keep in mind that at this early stage we mainly should focus on technical aspects and the "where" instead of deeper details about a possible implementation - the so called "how". At the moment I am aware of four possible locations, but please feel free to suggest new ideas in case I missed one. These are: * Web proxy (Squid) * Firewall engine (IPtables) * IDS/IPS (Suricata) * DNS (unbound) I'll start with my thoughts about placing that feature in the firewall engine. Feel free to add additional comments or likewise do the same task for any other location. -- Firewall -- Positive: * Located in the Linux kernel, no extra daemon during runtime required * Seamless network integration, no configuration on the clients required * Bypass not possible, because traffic to the target address is blocked * ? Negative: * Possibly huge amount of single rules in one or more chains, which needs to be passed and may produces overhead and therefore could slow down network traffic (This could be reduced by combining IPtables and IPSet's) * IPtables is based on IP addresses, so hostnames will be resolved the first time a rule with hostnames as argument will be created. This will lead to incorrect rules in case the address of a former loaded rule changes later. (A very theoretical workaround could be to periodically reload/recreate the rules) * If multiple services are hosted on the same address, none of them can be accessed because the traffic to the entire host is blocked * ? I hope this first example shows you how this concept of brainstorming and discussion could be done. I'd like to thank anybody in advance who is willing to join and share his opinions here. Best regards, -Stefan
