Nikos Vassiliadis wrote:

On Wednesday 12 December 2007 04:06:01 Erich Dollansky wrote:
There's no clean solutions to getting different lookups per-user that
I
The clen solution is hosts.


But hosts is operating system-wide.

Both ipfw and pf support tables, which is what you
want, large sets or unrelated (addresses|networks).
Both of them support UID matching as a target
(caution: this feature is not mpsafe on FreeBSD-6).
I don't understand how you think any firewall would do this. Firewalls will block based on IP addresses, whereas what I do (pointing numerous ad sites at a local apache vhost) works based on names. I have no clue if the ad sites share IP addresses with anything else, nor do I care; nor do I care if some ad site has 50 different IP addresses because I never resolve the real IP.

To take a random, made up example:

ads.useful.site = 10.1.1.1
www.useful.site = 10.1.1.1

Using hosts (or DNS) I can make ads.useful.site instead = 192.168.1.1

or

ads.useful.site = 101.1.1 -> 10.1.1.255

but I'm going to spend *forever* before I get all those IP addresses from a round-robin DNS entry to put into some ipfw table, and if any of those addresses also hosts the main site, I end up blocking that too.

I don't see how a firewall is appropriate for this (hosts.allow, likewise). The point of the exercise is to never even contact the ad host.

If I've misunderstood something about your approach, please enlighten me.

--Alex



_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to