Devdas Bhagat wrote:
On 20/07/06 09:06 +0530, Kenneth Gonsalves wrote:
On 20-Jul-06, at 12:50 AM, Harsh Busa wrote:
saw on some TV channel that govt is refining the order to only certain blogs of blogspot and parts of other sites.
which cant be done
It *can*. It isn't impossible. Just economically infeasible.
Devdas Bhagat
Three ways to do this and not at all expensive: 1) Make your DNS server host blogspot.com and redirect ALL port 53 traffic to it and block blockedblog.blogspot.com requests. 2) Use transparent proxy which also does SNAT, back to original IP for outgoing packets. 3) Just like ip_conntrack_ftp module which tracks PORT commands, develope ip_conntrack_http module which tracks HTTP "Host:" header and blocks the blocked sites.
3rd option seems to be much more easy (and technically sound as it would require no redirection/NAT) once code is developed and can also be implemented on router chip.
Amish.
On 20/07/06 12:49 +0530, Amish Mehta wrote: <snip>
Three ways to do this and not at all expensive:
- Make your DNS server host blogspot.com and redirect ALL port 53
traffic to it and block blockedblog.blogspot.com requests.
If you want to be authoritative for blogspot.com, then you have to deal with every domain under it as well. You would merely want to be authoritative for blockedhost.blogspot.com, which is trivially circumventable with /etc/hosts.
- Use transparent proxy which also does SNAT, back to original IP for
outgoing packets.
And which works at Gigabit speeds and has vendor backing.
- Just like ip_conntrack_ftp module which tracks PORT commands, develop
ip_conntrack_http module which tracks HTTP "Host:" header and blocks the blocked sites.
And then make the system even more complex by routing stuff to a Linux box. Unless you think that ISPs run Linux boxes for their ATM and SONET circuits?
Devdas Bhagat
Sometime on Jul 20, Amish Mehta assembled some asciibets to say:
- Make your DNS server host blogspot.com and redirect ALL port 53
traffic to it and block blockedblog.blogspot.com requests.
User can use an alternate DNS server
- Just like ip_conntrack_ftp module which tracks PORT commands,
develope ip_conntrack_http module which tracks HTTP "Host:" header and blocks the blocked sites.
User can use HTTP/1.0 which does not require the Host: header unless going through a proxy.
Also, please fix your line length.
-
Amish Mehta -
Devdas Bhagat -
Philip Tellis