Network Level Content Blocking (UK) for people who cant be bothered to read the article..
leigh.porter at ukbroadband.com
Thu Jun 7 19:11:06 UTC 2007
Sean Donelan wrote:
> On Thu, 7 Jun 2007, Chris L. Morrow wrote:
>>> Its not "content" blocking, its source/destination blocking.
>> oh, so null routes? I got the impression it was application-aware, or
>> atleast port-aware... If it's proxying or doing anything more than
>> port-level blocking it's likely it sees content as well, or COULD.
>> Either way, it's not like it's effective for anything except the m ost
>> casual of users :(
> Its more than null routes, but not much more. The router does a
> re-route on a list of network/IP address, and then for the protocols
> the redirector
> box understands (i.e. pretty much only HTTP) it matches part of the
> application/URL pattern.
> So IWF can block only one part of a sub-tree of a popular shared
> webhosting site *IF* is one of a few application protocols.
What we have is a box that takes the IWF feed of dodgy sites and
resolves the entries to IP addresses. These are then injected into the
network with Quagga's bgpd. The network then obviously routes anything
to these IP addresses and therefore those websites to the filter box.
(but not a bad idea....)The filter box runs Squid with the URL list from
the IWF. Port 80 traffic is directed through squid and anything
appearing on the IWF list that is accessed by anybody returns a page
telling them to go away. We thought about the error page stuff but what
the heck, it's obvious its being filtered anyway so you may as well put
some google ads on the page you return (Joke ;-) In fact you could run
upside-down-ternet on it, there's no end to the things you could do to
screw with people's heads.
Anything on a virtual host whos URL is not explicitly in the IWF list is
passed through squid without being touched.
Since only port 80 is passed through the filter then of course there are
all manor of things you could do to circumvent the filter and this will
of course always be the case as people will use whatever they can to get
what they want. After all, all yuo really need to do in order to get all
the dodgy material you want is to subscribe to a decent USENET service
and get it all from that.
For what it's worth though it works well for what it is and we certainly
get a few hits on it.
More information about the NANOG