Network Level Content Blocking (UK) for people who cant be bothered to read the article..

Leigh Porter leigh.porter at
Thu Jun 7 19:11:06 UTC 2007

Sean Donelan wrote:
> On Thu, 7 Jun 2007, Chris L. Morrow wrote:
>>> Its not "content" blocking, its source/destination blocking.
>> oh, so null routes? I got the impression it was application-aware, or
>> atleast port-aware... If it's proxying or doing anything more than
>> port-level blocking it's likely it sees content as well, or COULD.
>> Either way, it's not like it's effective for anything except the m ost
>> casual of users :(
> Its more than null routes, but not much more.  The router does a 
> re-route on a list of network/IP address, and then for the protocols 
> the redirector
> box understands (i.e. pretty much only HTTP) it matches part of the 
> application/URL pattern.
> So IWF can block only one part of a sub-tree of a popular shared 
> webhosting site *IF* is one of a few application protocols.

What we have is a box that takes the IWF feed of dodgy sites and 
resolves the entries to IP addresses. These are then injected into the 
network with Quagga's bgpd. The network then obviously routes anything 
to these IP addresses and therefore those websites to the filter box.

(but not a bad idea....)The filter box runs Squid with the URL list from 
the IWF. Port 80 traffic is directed through squid and anything 
appearing on the IWF list that is accessed by anybody returns a page 
telling them to go away. We thought about the error page stuff but what 
the heck, it's obvious its being filtered anyway so you may as well put 
some google ads on the page you return (Joke ;-) In fact you could run 
upside-down-ternet on it, there's no end to the things you could do to 
screw with people's heads.

Anything on a virtual host whos URL is not explicitly in the IWF list is 
passed through squid without being touched.

Since only port 80 is passed through the filter then of course there are 
all manor of things you could do to circumvent the filter and this will 
of course always be the case as people will use whatever they can to get 
what they want. After all, all yuo really need to do in order to get all 
the dodgy material you want is to subscribe to a decent USENET service 
and get it all from that.

For what it's worth though it works well for what it is and we certainly 
get a few hits on it.

Leigh Porter

More information about the NANOG mailing list