+++ /dev/null
-<h1>Blacklist based domain name filtering</h1>
-
-<p>The <code>nfblocker</code> utility is a blacklist based network traffic filter
-for <code>iptables</code> via <code>libnetfilter-queue</code>. It applies to HTTP and SSL
-traffic for recognizing and dropping packets that are directed to
-blacklisted domain names.</p>
-
-<h2>Dendencies</h2>
-
-<p>Operationally <code>nfblocker</code> depends on the <code>libnetfilter-queue-dev</code> and
-<code>iptables</code> packages, and for building, you'll also need a C build
-environment including <code>make</code>.</p>
-
-<p>The blacklist format is that of squidblacklist.org, which you'll need
-to acquire separately.</p>
-
-<h2>Build and Install</h2>
-
-<p><code>nfblocker</code> is distributed in a tar file, which should be unpacked at
-its future residence; e.g., as /usr/local/src/nfblocker-1.0.0. Then
-<code>cd</code> into that directory and type:</p>
-
-<blockquote>
- <p><code># make</code></p>
-</blockquote>
-
-<p>This will build the binary filter, and install the control script as
-<code>/usr/local/sbin/nfblocker.sh</code>. Edit the Makefile to install
-elsewhere.</p>
-
-<h2>Setup and Confguration</h2>
-
-<p>The residence has a directory <code>acl</code> that is intended to hold all
-available access control lists, and a directory <code>blocked</code> that should
-be set up with links to the access control list files to use. For
-example:</p>
-
-<blockquote>
- <p><code># ( cd blocked && ln -s ../acl/youtube-google-videos.acl )</code></p>
-</blockquote>
-
-<p>That command will set up <code>youtube-google-videos.acl</code> to be an included
-blacklist. Do the opposite to remove; for example:</p>
-
-<blockquote>
- <p><code># rm blocked/youtube-google-videos.acl</code></p>
-</blockquote>
-
-<h2>Running</h2>
-
-<p>The <code>nfblocker</code> is started with the following command:</p>
-
-<blockquote>
- <p><code># nfblocker.sh start</code></p>
-</blockquote>
-
-<p>With the <code>start</code> argument, the script adds appropriate <code>iptables</code>
-rules to use direct certain traffic to net-filter queue 99, and it
-starts a background process fot that filtering.</p>
-
-<blockquote>
- <p><code># nfblocker.sh reload</code></p>
-</blockquote>
-
-<p>With the <code>reload</code> argument, the control script stops and restarts the
-filter without changing <code>iptables</code> rules.</p>
-
-<blockquote>
- <p><code># nfblocker.sh stop</code></p>
-</blockquote>
-
-<p>With the <code>stop</code> argument, the control script removes the <code>iptables</code>
-rules and terminates the filtering process.</p>
-
-<h2>Technical Detail</h2>
-
-<p>The filtering uses the given lists of domain names for rejecting
-packets. It recognizes HTTP message headers and SSL certificate
-requests, from where it picks out the targeted domain name. If that
-name is blacklised or in a blacklisted domain, then the packet is
-rejected.</p>
-
-<p>The filtering also uses a fixed size decision cache, so that
-subsequent decisions for the same target can be made quickly.</p>
+++ /dev/null
-# Blacklist based domain name filtering
-
-The `nfblocker` utility is a blacklist based network traffic filter
-for `iptables` via `libnetfilter-queue`. It applies to HTTP and SSL
-traffic for recognizing and dropping packets that are directed to
-blacklisted domain names.
-
-## Dendencies
-
-Operationally `nfblocker` depends on the `libnetfilter-queue-dev` and
-`iptables` packages, and for building, you'll also need a C build
-environment including `make`.
-
-The blacklist format is that of squidblacklist.org, which you'll need
-to acquire separately.
-
-## Build and Install
-
-`nfblocker` is distributed in a tar file, which should be unpacked at
-its future residence; e.g., as /usr/local/src/nfblocker-1.0.0. Then
-`cd` into that directory and type:
-
-> `# make`
-
-This will build the binary filter, and install the control script as
-`/usr/local/sbin/nfblocker.sh`. Edit the Makefile to install
-elsewhere.
-
-## Setup and Confguration
-
-The residence has a directory `acl` that is intended to hold all
-available access control lists, and a directory `blocked` that should
-be set up with links to the access control list files to use. For
-example:
-
-> `# ( cd blocked && ln -s ../acl/youtube-google-videos.acl )`
-
-That command will set up `youtube-google-videos.acl` to be an included
-blacklist. Do the opposite to remove; for example:
-
-> `# rm blocked/youtube-google-videos.acl`
-
-## Running
-
-The `nfblocker` is started with the following command:
-
-> `# nfblocker.sh start`
-
-With the `start` argument, the script adds appropriate `iptables`
-rules to use direct certain traffic to net-filter queue 99, and it
-starts a background process fot that filtering.
-
-> `# nfblocker.sh reload`
-
-With the `reload` argument, the control script stops and restarts the
-filter without changing `iptables` rules.
-
-> `# nfblocker.sh stop`
-
-With the `stop` argument, the control script removes the `iptables`
-rules and terminates the filtering process.
-
-## Technical Detail
-
-The filtering uses the given lists of domain names for rejecting
-packets. It recognizes HTTP message headers and SSL certificate
-requests, from where it picks out the targeted domain name. If that
-name is blacklised or in a blacklisted domain, then the packet is
-rejected.
-
-The filtering also uses a fixed size decision cache, so that
-subsequent decisions for the same target can be made quickly.
projects / rrq / nfblocker.git / commitdiff