performance impact of large /etc/hosts files
xfb52 at dial.pipex.com
Wed Dec 12 04:01:17 PST 2007
Nikos Vassiliadis wrote:
>On Wednesday 12 December 2007 04:06:01 Erich Dollansky wrote:
>>>There's no clean solutions to getting different lookups per-user that
>>The clen solution is hosts.
>But hosts is operating system-wide.
>Both ipfw and pf support tables, which is what you
>want, large sets or unrelated (addresses|networks).
>Both of them support UID matching as a target
>(caution: this feature is not mpsafe on FreeBSD-6).
I don't understand how you think any firewall would do this. Firewalls
will block based on IP addresses, whereas what I do (pointing numerous
ad sites at a local apache vhost) works based on names. I have no clue
if the ad sites share IP addresses with anything else, nor do I care;
nor do I care if some ad site has 50 different IP addresses because I
never resolve the real IP.
To take a random, made up example:
ads.useful.site = 10.1.1.1
www.useful.site = 10.1.1.1
Using hosts (or DNS) I can make ads.useful.site instead = 192.168.1.1
ads.useful.site = 101.1.1 -> 10.1.1.255
but I'm going to spend *forever* before I get all those IP addresses
from a round-robin DNS entry to put into some ipfw table, and if any of
those addresses also hosts the main site, I end up blocking that too.
I don't see how a firewall is appropriate for this (hosts.allow,
likewise). The point of the exercise is to never even contact the ad host.
If I've misunderstood something about your approach, please enlighten me.
More information about the freebsd-questions