performance impact of large /etc/hosts files

Alex Zbyslaw xfb52 at
Wed Dec 12 04:01:17 PST 2007

Nikos Vassiliadis wrote:

>On Wednesday 12 December 2007 04:06:01 Erich Dollansky wrote:
>>>There's no clean solutions to getting different lookups per-user that
>>The clen solution is hosts.
>But hosts is operating system-wide.
>Both ipfw and pf support tables, which is what you
>want, large sets or unrelated (addresses|networks).
>Both of them support UID matching as a target
>(caution: this feature is not mpsafe on FreeBSD-6).
I don't understand how you think any firewall would do this.  Firewalls 
will block based on IP addresses, whereas what I do (pointing numerous 
ad sites at a local apache vhost) works based on names.  I have no clue 
if the ad sites share IP addresses with anything else, nor do I care; 
nor do I care if some ad site has 50 different IP addresses because I 
never resolve the real IP.

To take a random, made up example: = =

Using hosts (or DNS) I can make instead =

or = 101.1.1 ->

but I'm going to spend *forever* before I get all those IP addresses 
from a round-robin DNS entry to put into some ipfw table, and if any of 
those addresses also hosts the main site, I end up blocking that too.

I don't see how a firewall is appropriate for this (hosts.allow, 
likewise).  The point of the exercise is to never even contact the ad host.

If I've misunderstood something about your approach, please enlighten me.


More information about the freebsd-questions mailing list