Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Dec 2007 12:01:14 +0000
From:      Alex Zbyslaw <xfb52@dial.pipex.com>
To:        Nikos Vassiliadis <nvass@teledomenet.gr>, freebsd-questions@freebsd.org
Subject:   Re: performance impact of large /etc/hosts files
Message-ID:  <475FCD8A.5090903@dial.pipex.com>
In-Reply-To: <200712120920.46626.nvass@teledomenet.gr>
References:  <475E0190.7030909@pacific.net.sg> <475EC215.8060004@dial.pipex.com>	<475F4209.8080507@pacific.net.sg> <200712120920.46626.nvass@teledomenet.gr>
next in thread | previous in thread | raw e-mail | index | archive | help 
Nikos Vassiliadis wrote:

>On Wednesday 12 December 2007 04:06:01 Erich Dollansky wrote:
>  
>
>>>There's no clean solutions to getting different lookups per-user that
>>>I
>>>      
>>>
>>The clen solution is hosts.
>>    
>>
>
>But hosts is operating system-wide.
>
>Both ipfw and pf support tables, which is what you
>want, large sets or unrelated (addresses|networks).
>Both of them support UID matching as a target
>(caution: this feature is not mpsafe on FreeBSD-6).
>  
>
I don't understand how you think any firewall would do this.  Firewalls 
will block based on IP addresses, whereas what I do (pointing numerous 
ad sites at a local apache vhost) works based on names.  I have no clue 
if the ad sites share IP addresses with anything else, nor do I care; 
nor do I care if some ad site has 50 different IP addresses because I 
never resolve the real IP.

To take a random, made up example:

ads.useful.site = 10.1.1.1
www.useful.site = 10.1.1.1

Using hosts (or DNS) I can make ads.useful.site instead = 192.168.1.1

or

ads.useful.site = 101.1.1 -> 10.1.1.255

but I'm going to spend *forever* before I get all those IP addresses 
from a round-robin DNS entry to put into some ipfw table, and if any of 
those addresses also hosts the main site, I end up blocking that too.

I don't see how a firewall is appropriate for this (hosts.allow, 
likewise).  The point of the exercise is to never even contact the ad host.

If I've misunderstood something about your approach, please enlighten me.

--Alex

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?475FCD8A.5090903>