-----BEGIN PGP SIGNED MESSAGE-----
pk said the following on 2008-09-14 13:25:
> Ok, good to know. I tried something simpler; putting the domain in
> /etc/hosts pointing to 127.0.0.1 (as suggested by Neil Bothwick). But
> I'll keep this in mind for the future. Thanks for the input!
Yes, putting the domain/IP address in the host file works, but has the
negative side effect of being slower (at least if your host file is big.
Parsing a big hosts file slows down networking overall because of the parsing
process. If the file is small/short it's not a big problem). With TCP reset,
it's a lot quicker. If You want to block lots of ads/banner domains and/or
malware/porn sites it's usually more efficient to use TCP reset, within reason
of course... huge iptables blocks tend to slow things down as well unless You
use IPset (an extension of iptables). Shorewall actually supports IPset, if
You have those extensions compiled in Your kernel...
IPset is a means of creating hashes for one or more address blocks or
addresses, which speeds things up quite a lot.
See http://ipset.netfilter.org/ and
BTW, Gentoo supports IPsets - in Portage it's under net-firewall/ipset but
You have to recompile Your kernel, which may be too much work for You since
we're discussing one domain/IP address in this case.
Have a nice Sunday
I surely will as I'm watching F1 at Monza right now
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
-----END PGP SIGNATURE-----