From owner-freebsd-questions@FreeBSD.ORG Wed Dec 12 12:01:17 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 024EE16A418 for ; Wed, 12 Dec 2007 12:01:17 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from blaster.systems.pipex.net (blaster.systems.pipex.net [62.241.163.7]) by mx1.freebsd.org (Postfix) with ESMTP id A857A13C45A for ; Wed, 12 Dec 2007 12:01:16 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from [192.168.23.2] (62-31-10-181.cable.ubr05.edin.blueyonder.co.uk [62.31.10.181]) by blaster.systems.pipex.net (Postfix) with ESMTP id 41748E0006C3; Wed, 12 Dec 2007 12:01:14 +0000 (GMT) Message-ID: <475FCD8A.5090903@dial.pipex.com> Date: Wed, 12 Dec 2007 12:01:14 +0000 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.13) Gecko/20061205 X-Accept-Language: en MIME-Version: 1.0 To: Nikos Vassiliadis , freebsd-questions@freebsd.org References: <475E0190.7030909@pacific.net.sg> <475EC215.8060004@dial.pipex.com> <475F4209.8080507@pacific.net.sg> <200712120920.46626.nvass@teledomenet.gr> In-Reply-To: <200712120920.46626.nvass@teledomenet.gr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: performance impact of large /etc/hosts files X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Dec 2007 12:01:17 -0000 Nikos Vassiliadis wrote: >On Wednesday 12 December 2007 04:06:01 Erich Dollansky wrote: > > >>>There's no clean solutions to getting different lookups per-user that >>>I >>> >>> >>The clen solution is hosts. >> >> > >But hosts is operating system-wide. > >Both ipfw and pf support tables, which is what you >want, large sets or unrelated (addresses|networks). >Both of them support UID matching as a target >(caution: this feature is not mpsafe on FreeBSD-6). > > I don't understand how you think any firewall would do this. Firewalls will block based on IP addresses, whereas what I do (pointing numerous ad sites at a local apache vhost) works based on names. I have no clue if the ad sites share IP addresses with anything else, nor do I care; nor do I care if some ad site has 50 different IP addresses because I never resolve the real IP. To take a random, made up example: ads.useful.site = 10.1.1.1 www.useful.site = 10.1.1.1 Using hosts (or DNS) I can make ads.useful.site instead = 192.168.1.1 or ads.useful.site = 101.1.1 -> 10.1.1.255 but I'm going to spend *forever* before I get all those IP addresses from a round-robin DNS entry to put into some ipfw table, and if any of those addresses also hosts the main site, I end up blocking that too. I don't see how a firewall is appropriate for this (hosts.allow, likewise). The point of the exercise is to never even contact the ad host. If I've misunderstood something about your approach, please enlighten me. --Alex