Re: Blocking Ads. - Grant Taylor

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Blocking Ads.
Date: Tue, 22 Jun 2010 15:28:17 -0500	[thread overview]
Message-ID: <4C211CE1.7000400@riverviewtech.net> (raw)
In-Reply-To: <AANLkTimRWJsPH73ASlu7nUY4iuG-ZnB_r7KpMZv64-fd@mail.gmail.com>

On 06/22/10 13:41, Curby wrote:
> As far as I know, ad blocking is more commonly performed using DNS, 
> by resolving domain names to 127.0.0.1, or to a server to serve up 
> notices of removed content (e.g. in a business environment, users 
> could request that sites be unblocked).  Is there a reason why you 
> want to block specific IP addresses instead of domains?

Agreed.  Normally this is done via DNS, or (IMHO) better via an 
application layer proxy.

If I was going to DNS poison names where content was served from, I'd 
either provide a place holder, or an HTTP 404 error so that the client 
could gracefully handle the missing (blocked) content.

> Anyway, I suspect that sending back appropriate ICMP error messages 
> instead of DROPing such requests would provide hints to clients that 
> they should give up instead of wait for a reply.

Agreed.  This is why you want to REJECT with an ICMP error message, so 
that clients (that will honer them) get an immediate notification that 
the connection has been blocked.

Not all clients will honor the ICMP rejection message.  But that is a 
client problem, not a flaw introduced by your firewall.  Returning an 
HTTP 404 error would probably be better handled than returning an ICMP 
unreachable message.

Grant. . . .

next prev parent reply	other threads:[~2010-06-22 20:28 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-22 18:18 Blocking Ads Ninad A
2010-06-22 18:41 ` Curby
2010-06-22 20:28   ` Grant Taylor [this message]
2010-06-23  9:37     ` Ninad A
2010-06-23 11:09       ` Thomas Jacob
2010-06-23 16:58         ` Ninad A
2010-06-23 17:36       ` Grant Taylor
2010-06-24  4:44         ` Blocking Ads. Thanks Ninad A
2010-06-22 19:14 ` Blocking Ads Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C211CE1.7000400@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox