On 06/22/10 13:41, Curby wrote:
As far as I know, ad blocking is more commonly performed using DNS, by resolving domain names to 127.0.0.1, or to a server to serve up notices of removed content (e.g. in a business environment, users could request that sites be unblocked). Is there a reason why you want to block specific IP addresses instead of domains?
Agreed. Normally this is done via DNS, or (IMHO) better via an application layer proxy.
If I was going to DNS poison names where content was served from, I'd either provide a place holder, or an HTTP 404 error so that the client could gracefully handle the missing (blocked) content.
Anyway, I suspect that sending back appropriate ICMP error messages instead of DROPing such requests would provide hints to clients that they should give up instead of wait for a reply.
Agreed. This is why you want to REJECT with an ICMP error message, so that clients (that will honer them) get an immediate notification that the connection has been blocked.
Not all clients will honor the ICMP rejection message. But that is a client problem, not a flaw introduced by your firewall. Returning an HTTP 404 error would probably be better handled than returning an ICMP unreachable message.
Grant. . . . -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
