Can I suggest an alternate tack.
Try using a proxy instead of using the firewall. I use wwwoffle
(http://www.gedanken.demon.co.uk) for offline access but it does not have
the right hooks. It will allow you to block specific sites but not all but
... There are others & they may do the job. If this works, you can block
ports 80/8080/443 for all but the proxy and not worry about the DNS
problems..
If we were talking commercially, I know Netscape Proxy could do the job but
thats OTT here.
As for your second question, wwwoffle would do it and give you the option to
return replacement page.
John
----- Original Message -----
From: "kei"
There's one big subject bubbling up: DNS timeouts.
I realize this is starting to get OT, but I have a similar problem I can't resist posting. I recently set up a computer lab with several computers sharing a connection. For security reasons, I didn't want the kids to be able to access every web site. Actually, just a short list of sites. Among those was hotmail.com. This is a big problem because there are about a dozen different IPs in use by hotmail. My DNS lookups work properly. Is there a way to dynamically alter the ipchains rules to allow connections to/from servers that resolve to *.hotmail.com?
One more question, I'm just dropping connection attempts to doubleclick's servers. So, the connections time out with an error message. There's a better way. Right?
Are these questions answered in a more advanced faq or how-to?
kei
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com