[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Filter question
From:       Clayton Fiske <clay () bloomcounty ! org>
Date:       2002-12-06 7:09:19
[Download RAW message or body]

On Fri, Dec 06, 2002 at 04:12:48PM +1100, grant beattie wrote:
> On Fri, Dec 06, 2002 at 12:02:56AM -0500, Small, Jim wrote:
> 
> > Is it possible to filter on domain names instead of/in addition to IPs?
> > block out log quick on <IF> proto tcp from any to pornography.com
> > 
> > I would like to mention that I *know* it would be slow.  But let's say I'm
> > stubborn and want to do it anyway!  How would I setup such a configuration?
> 
> Yes, the example you used will work. Note that the IP address lookup
> is done at rule load time, not runtime.

Also worth noting that this would block any other sites using that
IP (vhosting is common).

If he is concerned about web access specifically, my suggestion
would be to set up ipnat to transparently redirect through squid
and block offending URLs there.

-c

[prev in list] [next in list] [prev in thread] [next in thread]