[ previous ] [ next ] [ threads ]
 
 From:  "Chris Bagnall" <m0n0wall at minotaur dot cc>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Ad Blocking in m0n0wall
 Date:  Tue, 9 Nov 2004 17:49:27 -0000
> Blocking of ad's along with www sites that are not needed in 
> a business should always take place at the edge (firewall), 
> allowing this sort of traffic to the inside is really BAD, it 
> can allow all sorts of bad things to happen at the 
> workstation level and depending on users to do the right 
> thing?

I think the problems with doing this at the m0n0wall level are threefold:

1) You aren't giving your users the *choice* about whether they want
ads/porn/whatever blocked. I think this is really important - if I'm
blocking ads I want people to know that they're being blocked, why they're
being blocked, and how to unblock them if they need to. To the best of my
knowledge, the m0n0 approach doesn't really give you a nice easy way to do
that (apart from defining external DNS servers manually on the client,
bypassing the DNS proxy in m0n0).

2) Technical: that list is gonna be a bugger to update. You'd have to
download the config.xml file, remove the old database, add the new database
in the right format, "restore" it to m0n0, and reboot the router. That's not
particularly desirable if it means you're gonna lose net connectivity for a
few minutes when people are trying to use the thing.

3) Getting Squid to do it on a dedicated machine is faster. I've an XP1700+
(hell, it was cheaper than a PIII, even second-hand ones) running as a
"network services" machine for the sort of things that m0n0 doesn't do -
that's things like a Squid proxy (the cache is extremely helpful if you've
lots of client machines accessing similar/the same sites), Samba for a WINS
server, NTPd for clock updates, etc. etc. Updating the list of blocksites is
a simple matter of replacing the .acl file I've defined for the task with a
new one, then telling Squid to reload the config. No restarts of anything
involved. No downtime. And if a user wants to bypass ad-blocking for any
site, they simply define it as an exception to the proxy server rules.

Regards,

Chris
-- 
C.M. Bagnall, Partner, Minotaur
Tel: (07010) 710715   Mobile: (07811) 332969   ICQ: 13350579
AIM: MinotaurUK   MSN: minotauruk at hotmail dot com   Y!: Minotaur_Chris
This email is made from 100% recycled electrons