[ previous ] [ next ] [ threads ]
 
 From:  ryan <ryanag at zoominternet dot net>
 To:  Don Munyak <don dot munyak at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Host list feature request
 Date:  Mon, 4 Apr 2005 12:00:23 -0500
The hosts file is a way to map names to IP addresses.

If I want to block a specific domain, I can map it to 127.0.0.1. My PC checks 
its hosts file *before* looking to the DNS server for mappings. Perhaps I 
would want to block a giant list of spyware / ad farms.... google on "hosts 
file" - at least 4 or 5 will come up with hundreds of entries ready for cut 
and paste.

If I would do the same (and I have with smoothwall/ipcop) on a firewall 
running DNS proxy, I get similar results.

I could get the same thing in m0n0wall if I were willing to write IP address 
rules blocking WAN traffic to every single "bad IP". Unfortunately, that task 
would take forever, and its not immediately obvious to me what IP addresses a 
spyware host will use (where as a domain name is somewhat static).

Also, it would be convenient for a small network to be able to see 
printers/file servers by name. Networks to small to run their own DNS servers 
can manually update hosts files on each PC- once you get around 5 or 6 this 
is a pain.


The advantage of using the m0n0wall as the central point for the hosts file 
mods is so you don't need to update them on all the machines connected to the 
network.


Short answer to your questions: Both. ;-)

On Monday 04 April 2005 09:59, Don Munyak wrote:
> My question is slightly my confusion.
>
> Do you want to use host files for blocked websites?
> or...for LAN clients wanting to go through the firewall ?
>
> - don
>
> On Apr 4, 2005 11:52 AM, ryan <ryanag at zoominternet dot net> wrote:
> > > According to me, the directives of the creator of m0n0wall, has been
> > > clearly stated that m0n0wall, wants to be basically a firewall, and do
> > > activities base on a Firewall, and not an e-mail server, spamfighter
> > > etc...
> >
> > Making the modifications we discussed (hosts file blocking) does not make
> > m0n0wall an email server or spamfighter.
> >
> > It does give some more access control flexibility, something most
> > firewalls try to do.
> >
> > > What i would advise, is installing redwall-firewall or clarck connect
> > > of which u can use as a stand-alone server, and have your users using
> > > transperant proxy,
> >
> > Overkill for the requested feature.
> >
> > The only things required are:
> > -Proxy DNS on the firewall (m0n0wall does this already)
> > -a place to put the modifications and an easy way to edit
> >
> > A proxy server is not required for a firewall to implement access control
> > based on hostname if it acts as a DNS proxy.
> > cause slower reboots, and if i'm on the right track,
> >
> > > think it did cause some extra cpu burden, depending on the size of the
> > > host file
> >
> > Clearly an issue. I've run hosts-file based blocking on ancient machines
> > with coyote linux and have seen no slowdown. I doubt the performance hit
> > would be too terrible, although I have no evidence unless we try it. :-D
> >
> > On Monday 04 April 2005 08:35, Mr. listman wrote:
> > > According to me, the directives of the creator of m0n0wall, has been
> > > clearly stated that m0n0wall, wants to be basically a firewall, and do
> > > activities base on a Firewall, and not an e-mail server, spamfighter
> > > etc...
> > >
> > > What i would advise, is installing redwall-firewall or clarck connect
> > > of which u can use as a stand-alone server, and have your users using
> > > transperant proxy,
> > > Clearkconnect has all these added features,
> > > SpamFighter, Popup Blocker, SpyWare blocker, u namer it.
> > >
> > > We do would like to have all of these nice tools on one dedicated pc,
> > > but the creator of m0n0wall, made it clearly the direction of m0n0wall,
> > > so many other features just won't be added, or maybe u can take a look
> > > at pfsense..
> > >
> > > If u search the threads, u would find a thread on using the host file,
> > > as somekind  of blocker, but if my memory serves me correct, it took
> > > some extra time to load, cause slower reboots, and if i'm on the right
> > > track, i think it did cause some extra cpu burden, depending on the
> > > size of the host file
> > >
> > > over and out
> > >
> > > On Monday 04 April 2005 07:35, Curt Maughs wrote:
> > > >&#160;Would anyone besides myself find this useful?
> > > >I am trying to add hosts from the blacklisted mailservers and spyware
> > > > host lists so
> > > >that I will not have to worry if a user's individual machine is update
> > > >anymore.
> > >
> > > _________________________________________________________________
> > > Talk with your online friends with MSN Messenger
> > > http://messenger.msn.nl/
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch