performance impact of large /etc/hosts files
Alex Zbyslaw
xfb52 at dial.pipex.com
Wed Dec 12 04:01:17 PST 2007
Nikos Vassiliadis wrote:
>On Wednesday 12 December 2007 04:06:01 Erich Dollansky wrote:
>
>
>>>There's no clean solutions to getting different lookups per-user that
>>>I
>>>
>>>
>>The clen solution is hosts.
>>
>>
>
>But hosts is operating system-wide.
>
>Both ipfw and pf support tables, which is what you
>want, large sets or unrelated (addresses|networks).
>Both of them support UID matching as a target
>(caution: this feature is not mpsafe on FreeBSD-6).
>
>
I don't understand how you think any firewall would do this. Firewalls
will block based on IP addresses, whereas what I do (pointing numerous
ad sites at a local apache vhost) works based on names. I have no clue
if the ad sites share IP addresses with anything else, nor do I care;
nor do I care if some ad site has 50 different IP addresses because I
never resolve the real IP.
To take a random, made up example:
ads.useful.site = 10.1.1.1
www.useful.site = 10.1.1.1
Using hosts (or DNS) I can make ads.useful.site instead = 192.168.1.1
or
ads.useful.site = 101.1.1 -> 10.1.1.255
but I'm going to spend *forever* before I get all those IP addresses
from a round-robin DNS entry to put into some ipfw table, and if any of
those addresses also hosts the main site, I end up blocking that too.
I don't see how a firewall is appropriate for this (hosts.allow,
likewise). The point of the exercise is to never even contact the ad host.
If I've misunderstood something about your approach, please enlighten me.
--Alex
More information about the freebsd-questions
mailing list