On Saturday 01 Aug 2015 11:35:14 [email protected] wrote: > Mick <[email protected]> [15-08-01 12:20]: > > On Saturday 01 Aug 2015 10:48:15 Alan McKinnon wrote: > > > On 01/08/2015 11:21, [email protected] wrote: > > > > Hi, > > > > > > > > With ufw I want temporary block any access from my Gentoo PC to > > > > certain domains. Since domain names change IP addresses I dont want > > > > to block on base of the IP only. > > > > > > > > Is this possible with ufw? > > > > > > That is really not a good idea, which is why packet filtering firewalls > > > seldom attempt it. > > > > > > It means that *every*single*packet* involves a reverse DNS lookup to > > > get the (unreliable) DNS name (which might not even be listed at all), > > > do a string comparison and make a block decision based on that. All of > > > which is probably an order of magnitude more resource use that simply > > > sending the packet out. There are optimizations of course, such as > > > caching the results of previous lookups, but there's still a > > > considerable overhead. > > > > > > There's a few ways around it: > > > > > > 1. Rethink your firewalling policy. Maybe you really don't need to > > > block stuff and just think you do. > > > > > > 2. Do a DNS lookup and check the TTL. If it's high, say 86400 then it > > > cannot change more than once a day. So you only need to do a lookup > > > once a day. Write or get a script that looks up your banned domains > > > every so often, gets the new IP if it changed and reload a new > > > netfilter rule set. > > > > > > #2 is the correct approach for large firewalls with many users but does > > > involves a quite sophisticated codebase, probably way more than you > > > need for your 1 pc. Which brings us back to #1 > > > > There's also the option to set in /etc/hosts: > > > > 127.0.0.1 safebrowsing.clients.google.com > > > > (Replace the google domain above with whatever you want to stop access > > to). > > Hi Mick, > > yes this comes close to what I want, but it is not that easy to switch > on/off. > > Background: > I have a Android tablet which I connected via Wifi to my PC and > started wireshark before the connection was etablished. > > As soon the connection was there, the tablet starts to phone home. > I want to stop that for the case, when the tablet accesses those > domains, since in that case an tablet ID or whatever this > "anonymous identification" is called is transmitted. > > Next came iptables into my mind since it is a configuration > item and not a phyical thing like a file. > > Is there a way (for example via something below /proc or /sys) to > feed the contents of /etc/hosts into the kernel instead of using > the physical file? > > Best regards > Meino
If I recall right you are using dnsmasq on the PC you connect the tablet to? In this case you can add in dnsmasq.conf: address=/some-adnroid-site.com/127.0.0.1 This will cause any dns queries to this address from the tablet to fail, but it will NOT block connections to relevant IP addresses. Not sure if this is any easier than altering /etc/hosts on the tablet. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
