From owner-freebsd-questions@FreeBSD.ORG Wed Dec 12 12:31:11 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A142216A468 for ; Wed, 12 Dec 2007 12:31:11 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from blaster.systems.pipex.net (blaster.systems.pipex.net [62.241.163.7]) by mx1.freebsd.org (Postfix) with ESMTP id 4FDD413C504 for ; Wed, 12 Dec 2007 12:31:11 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from [192.168.23.2] (62-31-10-181.cable.ubr05.edin.blueyonder.co.uk [62.31.10.181]) by blaster.systems.pipex.net (Postfix) with ESMTP id 807C8E00085F; Wed, 12 Dec 2007 12:31:09 +0000 (GMT) Message-ID: <475FD48C.7090508@dial.pipex.com> Date: Wed, 12 Dec 2007 12:31:08 +0000 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.13) Gecko/20061205 X-Accept-Language: en MIME-Version: 1.0 To: "Heiko Wundram (Beenic)" References: <475E0190.7030909@pacific.net.sg> <200712120920.46626.nvass@teledomenet.gr> <475FCD8A.5090903@dial.pipex.com> <200712121310.01617.wundram@beenic.net> In-Reply-To: <200712121310.01617.wundram@beenic.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org, Nikos Vassiliadis Subject: Re: performance impact of large /etc/hosts files X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Dec 2007 12:31:11 -0000 Heiko Wundram (Beenic) wrote: >Am Mittwoch, 12. Dezember 2007 13:01:14 schrieb Alex Zbyslaw: > > >> >>I don't see how a firewall is appropriate for this (hosts.allow, >>likewise). The point of the exercise is to never even contact the ad host. >> >> > >Transparent proxy with squid on the firewall? There's even plugins to manage >exactly this kind of ad-blocking with squid; although I don't currently know >the extension's name. > >This is pretty much going to be your only option to do this in a centralized >fashion. > > > Squid may well be an alternative solution, but it's not, imho, a firewall solution as Nikos was proposing. I have zero experience of squid beyond reading about it, but it has always sounded like a major resource hog. Perhaps just running one plugin to do just this would be OK? The advantage of /etc/hosts is simplicity. For a small home network of BSD machines it's pretty trivial to propagate updates. Not even *that* hard to copy the file to a couple windows machines. Beyond that, the updates could get pretty tedious. For a network-wide, multi-OS solution I would still look at DNS just because it's more lightweight than squid. Which is not to say that someone else shouldn't reach an alternate conclusion :-) Always good to know what the alternatives are! Best, --Alex