>From: Alex Pakter[SMTP:Alex .
Pakter @
omnitel .
it]
>Sent: 23 February 1996 10:31
>To: Firewalls @
GreatCircle .
COM
>Subject: Re: CERN HTTPD Proxy Rules
>
>> From: Philip Sloan <philip .
sloan @
shorts .
co .
uk>
>> Date: Mon, 19 Feb 1996 12:21:57 +0000
>> Subject: Httpd Proxy
>>
>> Hello,
>>
>> I'm running the cern_httpd proxy on my firewall to allow specific
>> machines in the internal network to access the outside world.
>>
>> Is there any way that I can blacklist certain sites, so that the users
>> in the internal network cannot gain access to them via the proxy server
>
>Instead of doing this in the httpd proxy, why not do it at your router?
>Have your router towards the internet block any INCOMING traffic from
>sites that you don't like. As long as you have an external mail relay
If you start adding lots of sites (IP addresses) to your router's
filter list isn't this likely to cause more processing on a per-packet
basis, slowing down forwarding rates?
While I assume that most router implementations must compile the filter
rules in such a way that IP addresses and ports on incoming (and
outgoing) IP datagrames can be quickly hashed and used as an index into
a hash table -- there must be some additional overhead for very long
filter lists...
- Morrow
|
|
