* blocking only https access
@ 2009-06-08 17:01 Leonardo Carneiro
2009-06-08 17:17 ` Marek Kierdelewicz
0 siblings, 1 reply; 3+ messages in thread
From: Leonardo Carneiro @ 2009-06-08 17:01 UTC (permalink / raw)
To: netfilter@vger.kernel.org
Hi everyone,
I have blocked outgoing connections using port 443 in my network to
force everyone to use the webproxy. However, some non-http applications
(like ShowMyPC) uses the port 443, and don't support proxies yet. I've
contacted the support of the software to know with IPs do i have to
allow it to make the program work properly, but they said there change
their server IPs very often, so they recomend use the domain name to block.
I have readed a lot here in the list and in other places that i SHOULD
NOT use domain names in iptables, cause it will result in a dns request
to every packet that reachs that rule.
the question is: is there a way that i can identify only SSL packets
that contain web content, so i can allow those who haven't, like the
ShowMyPc packets?
--
*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: blocking only https access
2009-06-08 17:01 blocking only https access Leonardo Carneiro
@ 2009-06-08 17:17 ` Marek Kierdelewicz
2009-06-08 17:23 ` Leonardo Carneiro
0 siblings, 1 reply; 3+ messages in thread
From: Marek Kierdelewicz @ 2009-06-08 17:17 UTC (permalink / raw)
To: Leonardo Carneiro; +Cc: netfilter@vger.kernel.org
>Hi everyone,
Hi,
>I have readed a lot here in the list and in other places that i SHOULD
>NOT use domain names in iptables, cause it will result in a dns
>request to every packet that reachs that rule.
Not really. Domainname is resolved at the time of rule addition to a
ruleset. Netfilter stores the destination address in numerical form.
You can use CRON to restart firewall every night or even every hour.
This would allow you to have the current server addresses in a
ruleset.
Cheers,
Marek Kierdelewicz
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: blocking only https access
2009-06-08 17:17 ` Marek Kierdelewicz
@ 2009-06-08 17:23 ` Leonardo Carneiro
0 siblings, 0 replies; 3+ messages in thread
From: Leonardo Carneiro @ 2009-06-08 17:23 UTC (permalink / raw)
To: Marek Kierdelewicz; +Cc: netfilter@vger.kernel.org
Marek Kierdelewicz escreveu:
>> Hi everyone,
>>
>
> Hi,
>
>
>> I have readed a lot here in the list and in other places that i SHOULD
>> NOT use domain names in iptables, cause it will result in a dns
>> request to every packet that reachs that rule.
>>
>
> Not really. Domainname is resolved at the time of rule addition to a
> ruleset. Netfilter stores the destination address in numerical form.
>
> You can use CRON to restart firewall every night or even every hour.
> This would allow you to have the current server addresses in a
> ruleset.
>
>
Ok, tks Marek. I'll try this.
> Cheers,
> Marek Kierdelewicz
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-06-08 17:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-08 17:01 blocking only https access Leonardo Carneiro
2009-06-08 17:17 ` Marek Kierdelewicz
2009-06-08 17:23 ` Leonardo Carneiro
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.