>> i'd like to know how many rule can manage iptable. >> I'm asking that because i'd to drop all traffric from my localnet to >> porn site. I've a database of porn site witch contain about 900 000 >> domains. I know there are solutions like squidguard. But for my linux >> box i'd to use iptable to prevent users access to porn site and other >> blacklist site. > > It's not feasible to implement 900 000 long ruleset in iptables > even with ipset extension or with fancy hierarchical chains. The > other problem is that iptables works on ip addresses and your database > is comprised of domains. There can be more then one site on single ip > address. Blocking IPs and not domains could cut access to some legit > sites. > > Squid+squidguard is good option. I've heard of some dns based > solutions (domain blacklisting on dnscache level), but I don't know any > actual software. i.e. http://www.peereboom.us/adsuck/ adsuck is a small dns server that spoofs blacklisted addresses and forwards all other queries. The idea is to be able to prevent connections to undesirable sites such as ad servers, crawlers, etc. It can be used locally, for the road warrior, or on the network perimeter in order to protect local machines from malicious sites. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html