Mick <[email protected]> [15-08-01 13:20]: > On Saturday 01 Aug 2015 11:35:14 [email protected] wrote: > > Mick <[email protected]> [15-08-01 12:20]: > > > On Saturday 01 Aug 2015 10:48:15 Alan McKinnon wrote: > > > > On 01/08/2015 11:21, [email protected] wrote: > > > > > Hi, > > > > > > > > > > With ufw I want temporary block any access from my Gentoo PC to > > > > > certain domains. Since domain names change IP addresses I dont want > > > > > to block on base of the IP only. > > > > > > > > > > Is this possible with ufw? > > > > > > > > That is really not a good idea, which is why packet filtering firewalls > > > > seldom attempt it. > > > > > > > > It means that *every*single*packet* involves a reverse DNS lookup to > > > > get the (unreliable) DNS name (which might not even be listed at all), > > > > do a string comparison and make a block decision based on that. All of > > > > which is probably an order of magnitude more resource use that simply > > > > sending the packet out. There are optimizations of course, such as > > > > caching the results of previous lookups, but there's still a > > > > considerable overhead. > > > > > > > > There's a few ways around it: > > > > > > > > 1. Rethink your firewalling policy. Maybe you really don't need to > > > > block stuff and just think you do. > > > > > > > > 2. Do a DNS lookup and check the TTL. If it's high, say 86400 then it > > > > cannot change more than once a day. So you only need to do a lookup > > > > once a day. Write or get a script that looks up your banned domains > > > > every so often, gets the new IP if it changed and reload a new > > > > netfilter rule set. > > > > > > > > #2 is the correct approach for large firewalls with many users but does > > > > involves a quite sophisticated codebase, probably way more than you > > > > need for your 1 pc. Which brings us back to #1 > > > > > > There's also the option to set in /etc/hosts: > > > > > > 127.0.0.1 safebrowsing.clients.google.com > > > > > > (Replace the google domain above with whatever you want to stop access > > > to). > > > > Hi Mick, > > > > yes this comes close to what I want, but it is not that easy to switch > > on/off. > > > > Background: > > I have a Android tablet which I connected via Wifi to my PC and > > started wireshark before the connection was etablished. > > > > As soon the connection was there, the tablet starts to phone home. > > I want to stop that for the case, when the tablet accesses those > > domains, since in that case an tablet ID or whatever this > > "anonymous identification" is called is transmitted. > > > > Next came iptables into my mind since it is a configuration > > item and not a phyical thing like a file. > > > > Is there a way (for example via something below /proc or /sys) to > > feed the contents of /etc/hosts into the kernel instead of using > > the physical file? > > > > Best regards > > Meino > > If I recall right you are using dnsmasq on the PC you connect the tablet to? > > In this case you can add in dnsmasq.conf: > > address=/some-adnroid-site.com/127.0.0.1 > > This will cause any dns queries to this address from the tablet to fail, but > it will NOT block connections to relevant IP addresses. Not sure if this is > any easier than altering /etc/hosts on the tablet. > > -- > Regards, > Mick
Hi Mick, I am using create_ap on my PC to build a temporary Access Point for a Wifi connection with my tablet. I think, create_ap uses dnsmasq on the fly...not sure. I will try not to touch any Android system owned files on the tablet until a Custom ROM is made public for this tablet. With this Custom ROMS there is a tool bundled called "TWPR" or "CWM" which makes it easy to replay a so called nandroid backup (an image copy of the whole system internal flash) right after the bootloader is run and the system is still not booted. May sound a little paranoid, but changing things below /etc the wrong way especially on a system I dont understand in full currently has the ability to create "Just another brick in the wall"..."There is a difference in knowing the path and walking the path, Neo"..."Do you think you are booting, Neo? In _this room....?" Ok...back to the topic. I added the suspicious accesses to the /etc/hosts on my PC, which I hope has the same effect, since everything is routed to the same DNS. What do you think? Best regards, Meino
