On Saturday 01 Aug 2015 10:48:15 Alan McKinnon wrote: > On 01/08/2015 11:21, [email protected] wrote: > > Hi, > > > > With ufw I want temporary block any access from my Gentoo PC to certain > > domains. Since domain names change IP addresses I dont want to block > > on base of the IP only. > > > > Is this possible with ufw? > > That is really not a good idea, which is why packet filtering firewalls > seldom attempt it. > > It means that *every*single*packet* involves a reverse DNS lookup to get > the (unreliable) DNS name (which might not even be listed at all), do a > string comparison and make a block decision based on that. All of which > is probably an order of magnitude more resource use that simply sending > the packet out. There are optimizations of course, such as caching the > results of previous lookups, but there's still a considerable overhead. > > There's a few ways around it: > > 1. Rethink your firewalling policy. Maybe you really don't need to block > stuff and just think you do. > > 2. Do a DNS lookup and check the TTL. If it's high, say 86400 then it > cannot change more than once a day. So you only need to do a lookup once > a day. Write or get a script that looks up your banned domains every so > often, gets the new IP if it changed and reload a new netfilter rule set. > > #2 is the correct approach for large firewalls with many users but does > involves a quite sophisticated codebase, probably way more than you need > for your 1 pc. Which brings us back to #1
There's also the option to set in /etc/hosts: 127.0.0.1 safebrowsing.clients.google.com (Replace the google domain above with whatever you want to stop access to). -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
