Mick <[email protected]> [15-08-01 12:20]: > On Saturday 01 Aug 2015 10:48:15 Alan McKinnon wrote: > > On 01/08/2015 11:21, [email protected] wrote: > > > Hi, > > > > > > With ufw I want temporary block any access from my Gentoo PC to certain > > > domains. Since domain names change IP addresses I dont want to block > > > on base of the IP only. > > > > > > Is this possible with ufw? > > > > That is really not a good idea, which is why packet filtering firewalls > > seldom attempt it. > > > > It means that *every*single*packet* involves a reverse DNS lookup to get > > the (unreliable) DNS name (which might not even be listed at all), do a > > string comparison and make a block decision based on that. All of which > > is probably an order of magnitude more resource use that simply sending > > the packet out. There are optimizations of course, such as caching the > > results of previous lookups, but there's still a considerable overhead. > > > > There's a few ways around it: > > > > 1. Rethink your firewalling policy. Maybe you really don't need to block > > stuff and just think you do. > > > > 2. Do a DNS lookup and check the TTL. If it's high, say 86400 then it > > cannot change more than once a day. So you only need to do a lookup once > > a day. Write or get a script that looks up your banned domains every so > > often, gets the new IP if it changed and reload a new netfilter rule set. > > > > #2 is the correct approach for large firewalls with many users but does > > involves a quite sophisticated codebase, probably way more than you need > > for your 1 pc. Which brings us back to #1 > > There's also the option to set in /etc/hosts: > > 127.0.0.1 safebrowsing.clients.google.com > > (Replace the google domain above with whatever you want to stop access to). > > -- > Regards, > Mick
Hi Mick, yes this comes close to what I want, but it is not that easy to switch on/off. Background: I have a Android tablet which I connected via Wifi to my PC and started wireshark before the connection was etablished. As soon the connection was there, the tablet starts to phone home. I want to stop that for the case, when the tablet accesses those domains, since in that case an tablet ID or whatever this "anonymous identification" is called is transmitted. Next came iptables into my mind since it is a configuration item and not a phyical thing like a file. Is there a way (for example via something below /proc or /sys) to feed the contents of /etc/hosts into the kernel instead of using the physical file? Best regards Meino
