Devdas Bhagat wrote:

On 20/07/06 12:49 +0530, Amish Mehta wrote:

...

Three ways to do this and not at all expensive:

1. Make your DNS server host blogspot.com and redirect ALL

port 53 traffic to it and block blockedblog.blogspot.com requests.

If you want to be authoritative for blogspot.com, then you have to deal with every domain under it as well. You would merely want to be authoritative for blockedhost.blogspot.com, which is trivially circumventable with /etc/hosts.

blockedblog is just an example. /etc/hosts wont work as you need entry for each subdomain. DNS wildcards or DNS forwarders can be setup easily.

...

2. Use transparent proxy which also does SNAT, back to

original IP for outgoing packets.

And which works at Gigabit speeds and has vendor backing.

Didnt get you, but anyway this wasn't my recommended way either. But can work for small ISPs.

...

3. Just like ip_conntrack_ftp module which tracks PORT commands,

develop ip_conntrack_http module which tracks HTTP "Host:" header and blocks the blocked sites.

And then make the system even more complex by routing stuff to a Linux box. Unless you think that ISPs run Linux boxes for their ATM and SONET circuits?

This is an idea/method (with ip_conntrack as analogy). And doesnt generally pertain to Linux. Many routers do protocol (VPN, Skype, MSN etc) based "packet" filtering. Writing a code for HTTP filtering and implementing it on chip is no big deal.

I dont think it adds any kind of complexity. a) Idea is capture packet on port 80. b) Analyse "Host:" header. c) Check acl d) Block or pass.

Amish.