[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ad Blocking in m0n0wall
 Date:  Wed, 10 Nov 2004 03:36:47 -0500
This thread has been beaten to death, but I'll throw in my 2 cents anyway.

On Wed, 10 Nov 2004 09:01:33 +0100, Vincent Fleuranceau
<vincent at bikost dot com> wrote:
> -------- Original Message --------
> > Blocking of ad's along with www sites that are not needed in a business
> > should always take place at the edge (firewall), allowing this sort of
> > traffic to the inside is really BAD, it can allow all sorts of bad things to
> > happen at the workstation level and depending on users to do the right
> > thing? .. We have loaded on m0n0wall the whole list of blocks and find that
> > yes it does take 20 sec longer to load the firewall from a reload but its
> > still under a min to come back up . Heck how many PIX's can say that ..

I haven't timed it, but I think my PIX takes ~30 seconds to reload
(definitely less than a minute).  m0n0wall does boot very quickly, but
a PIX is a bad comparison.  :)  But considering you should only need
to reboot your m0n0wall for upgrades or in the case of power failures
(if you don't have a UPS), this is a moot point, IMO.

> > Memory? .. We have found that 256megs of memory handles just about anything
> > we can throw at the firewall .. Running P3 800's on the Firewalls and they
> > barely see 5% CPU usage most of the day.
> >
> > Block at the edge is my vote.
> >

I'd much rather use client side blocking personally, but with a
network with users that's not really a viable option.  If you rely on
a user to do anything you can ensure that control won't work the vast
majority of the time.

The problem with blocking domains by redirecting to is that
browsers tend to act weird when an image can't be loaded from a server
they can't contact.  Sometimes it causes the page to load very slowly
(waiting for a timeout), IE for the folks that insist on using it
makes you hit the back button twice on any pages that have images
blocked like that, etc.  Setting it to the IP of a web server on your
LAN that serves either completely blank white or black pages for 404's
is a much better solution though it's still not ideal.

The nice thing about AdBlock in FireFox is it'll remove the whole
space the ad should have taken, or iFrames when they're used, and
doesn't have the problem I just described.  AdBlock also allows much
finer grained control over what you do and don't block.  It'd be nice
to see a corporate AdBlock that'll pull its block list from a central

> What about Soekris net4501 boxes with 133 MHz CPU and 64 Mb RAM?

Depends on how much RAM you have available, which depends on what
services you're using.  Obviously throwing a few hundred or thousand
DNS overrides in your config is going to eat up some RAM.  But my
4501's, which run quite a few services, run at 40-45% RAM utilization
or less, so you figure you should be able to hold a ton of DNS entries
in the remaining ~20 MB RAM you could use (being conservative, leaving
plenty for any peak needs you may have and for upgrades via the webGUI
which requires a few MB).