-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 pk said the following on 2008-09-14 13:25: > Ok, good to know. I tried something simpler; putting the domain in > /etc/hosts pointing to 127.0.0.1 (as suggested by Neil Bothwick). But > I'll keep this in mind for the future. Thanks for the input! >
Yes, putting the domain/IP address in the host file works, but has the negative side effect of being slower (at least if your host file is big. Parsing a big hosts file slows down networking overall because of the parsing process. If the file is small/short it's not a big problem). With TCP reset, it's a lot quicker. If You want to block lots of ads/banner domains and/or malware/porn sites it's usually more efficient to use TCP reset, within reason of course... huge iptables blocks tend to slow things down as well unless You use IPset (an extension of iptables). Shorewall actually supports IPset, if You have those extensions compiled in Your kernel... IPset is a means of creating hashes for one or more address blocks or addresses, which speeds things up quite a lot. See http://ipset.netfilter.org/ and http://www.shorewall.net/ipsets.html BTW, Gentoo supports IPsets - in Portage it's under net-firewall/ipset but You have to recompile Your kernel, which may be too much work for You since we're discussing one domain/IP address in this case. Have a nice Sunday :) I surely will as I'm watching F1 at Monza right now :) //Tony -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFIzQPCJDzv6DN+QUkRAuRdAKCpQKg47UfzhQvs41azzZLJ2bkYFgCgxrNC dm1y/uWw7uF27bLzcVw7tqY= =JbSy -----END PGP SIGNATURE-----