----- Original Message ----- From: "vince cagud" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 14, 2002 4:53 PM Subject: Re: [plug] (no subject)
> it's trivial to reverse said rule. good point though. you might actually > want to reconsider the posted rule since yahoo's numeric addresses do not > reverse-resolve back to www.yahoo.com, thus making the rule fail to > recognize it. no it wont fail :-> remember that dns function is just to map name into ip address... tcp/ip end2end communication is using ip address not fqdn.. therefore the ipchains rule of louie below is still correct to block all incoming traffic coming from www.yahoo.com because ipchains will create number of lines of denies depend how many the www.yahoo.com ip addresses will return.. > > > ipchains -A input -p tcp -d remoteip -s www.yahoo.com -j DENY what im really pointing out is that, if you block thru incoming traffic.. imagine that if one workstation will going to access www.yahoo.com, it will waste outgoing traffic first (the first syn packet) and second the incoming traffic (the syn + ack packet) of your upstream bandwidth coming from www.yahoo.com and block it by your ipchains box.. with this rule: ipchains -A outgoing -p tcp -s 0.0.0.0/0 -d www.yahoo.com 80 -j REJECT it will save you time (because of the REJECT and not DENY), upstream bandwidth and www.yahoo.com server resources. fooler. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
