Thank u so much for yr detail explanation.. Quoting Jason Opperisano <opie@xxxxxxxxxxx>: > On Sun, 2005-02-13 at 01:53, spdesai@xxxxxxxxx wrote: > > Hi all...particularly Askar,Eric Leblond,Jason Opperisano (which help me) > > > > I have tried to restrict particular website through IPTABLE and its working > > > file .i have use below rules for that.. > > > > Suppose we want to open only www.ndtv.com,www.cnn.com ....then i gave rules > as > > per below order only... > > > > iptables -A FORWARD -s 192.168.1.2 -d www.ndtv.com -p tcp --dport 80 -j > ACCEPT > > iptables -A FORWARD -s 192.168.1.2 -d www.cnn.com -p tcp --dport 80 -j > ACCEPT > > iptables -A FORWARD -p tcp --dport 80 -j DROP > > ok--this is exactly why *i* personally don't think this is a good way to > do this. i'm not trying to say i'm right, but let me at least explain > why i feel the way i do. let's go to http://www.cnn.com/ shall we? > > first off; at this moment in time, www.cnn.com resolves to: > > 64.236.16.20 > 64.236.16.52 > 64.236.16.84 > 64.236.16.116 > 64.236.24.4 > 64.236.24.12 > 64.236.24.20 > 64.236.24.28 > > your rule that specifies "-d www.cnn.com" will resolve that name to IP > address(es) at the time the rule is loaded. if cnn decides to > add/change the IP's for that FQDN--you will need to reload your rules to > pick up the change. IMHO: strike one. > > k--now we have our 8 filter rules in place for those IP's--let's > actually fire up our trusty web browser (mosaic...natch). when i browse > to http://www.cnn.com/ i make requests to: > > www.cnn.com > i.a.cnn.net > i.cnn.net > cnn.dyn.cnn.com > > we already have the first one accounted for in our filter rules > (obviously)--so now, i.a.cnn.net (at this moment in time) resolves to: > > 64.236.40.64 > 64.236.40.5 > 64.236.40.8 > 64.236.40.21 > 64.236.40.32 > 64.236.40.46 > 64.236.40.53 > 64.236.40.63 > > note that these are akamai addresses and they *will* change frequently. > > next up is i.cnn.net, which currently resolves to: > > 64.236.16.138 > 64.236.16.139 > 64.236.24.136 > 64.236.24.137 > 64.236.24.138 > 64.236.24.139 > 64.236.16.136 > 64.236.16.137 > > and lastly, we have cnn.dyn.cnn.com (which judging from its name is > probably a dynamic; i.e. changing, address): > > 64.236.22.20 > 64.236.22.21 > 64.236.29.20 > 64.236.29.21 > > alright--so to allow access to cnn.com requires 28 rules to allow access > to 28 IP addresses (generated from the 4 -d $FQDN rules) that can change > whenever they gosh darn feel like and it's up to me to figure all this > out...i s'pose we could just allow access to the entire 64.236.0.0/16 > net and be done, right? one rule, *should* cover whatever IP changes > they decide, right? it *is* kind of a shame that we would be allowing > web browsing into a network owned by AOL though, huh? sorta defeats the > purpose. IMHO: strike two > > let's also keep in mind--i have not clicked through anything on the site > yet (and i don't plan to, as this is getting a bit ridiculous), but i'm > guessing i'd need to analyze more traffic, and add more hosts if i > wanted to watch one of their videos, or listen to their radio etc... > > but there no easier way to do this, right? when all you have is a > hammer, every problem starts to look like a nail, or something like > that. > > i personally am not willing to go through that much effort for my users > (or myself, actually). i also prefer not not implement solutions that > require constant care and feeding like the above. not when i can add: > > acl cnn dstdomain .cnn.com .cnn.net > http_access allow cnn > > to my squid.conf and move on with my life. > > -j > > ps - i'm aware there was never a strike three. if you want to put in > the effort to do this, more power to you. in my experience people that > start down this path either (a) give up on it and decide to use a > app-level filter (b) give up on it and just allow everything or (c) let > it rot away to the point where users lose faith that the admin has any > clue as to what he/she is doing. > > -- > "It takes two to lie. One to lie and one to listen." > --The Simpsons > > > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
