Devdas Bhagat wrote: > On 20/07/06 12:49 +0530, Amish Mehta wrote: >> Three ways to do this and not at all expensive: >> 1) Make your DNS server host blogspot.com and redirect ALL >> port 53 traffic to it and block blockedblog.blogspot.com >> requests.
> If you want to be authoritative for blogspot.com, then you > have to deal with every domain under it as well. You would > merely want to be authoritative for blockedhost.blogspot.com, > which is trivially circumventable with /etc/hosts. blockedblog is just an example. /etc/hosts wont work as you need entry for each subdomain. DNS wildcards or DNS forwarders can be setup easily. >> 2) Use transparent proxy which also does SNAT, back to >> original IP for outgoing packets. > And which works at Gigabit speeds and has vendor backing. Didnt get you, but anyway this wasn't my recommended way either. But can work for small ISPs. >> 3) Just like ip_conntrack_ftp module which tracks PORT commands, >> develop ip_conntrack_http module which tracks HTTP "Host:" >> header and blocks the blocked sites. > And then make the system even more complex by routing stuff > to a Linux box. Unless you think that ISPs run Linux boxes for > their ATM and SONET circuits? This is an idea/method (with ip_conntrack as analogy). And doesnt generally pertain to Linux. Many routers do protocol (VPN, Skype, MSN etc) based "packet" filtering. Writing a code for HTTP filtering and implementing it on chip is no big deal. I dont think it adds any kind of complexity. a) Idea is capture packet on port 80. b) Analyse "Host:" header. c) Check acl d) Block or pass. Amish.
-- http://mm.glug-bom.org/mailman/listinfo/linuxers
