The firewall includes a sophisticated facility for blocking access to servers based on keyword matches of their symbolic DNS hostnames. This facility can allow large numbers of web sites to be blocked by specifying only a small number of keywords. The firewall will not only prevent DNS lookups of addresses where the hostnames match keywords, but will maintain a cache of hostname/address correspondences, so that the numeric addresses will be blocked as well. The cache itself is saved to disk on a regular basis to provide persistence. While this facility is neither comprehensive nor foolproof, it is still useful in blocking access to the bulk of web sex sites (for example) with a minimal administrative overhead.
To use smart blocking, a set of keywords, actions, and time-of-day/day-of-week
specifications must be entered in the Smart Block Setup Screen
(Figure 4.11). The keywords
can be substrings of words and/or contain periods for finer control over the
matching. The actions are either `Block' or `Allow', depending on whether
matching hostnames should be accessible or not. The first matching entry
found for a host will determine the action to take for that host. A leading
caret (^) can be used to force a prefix match,
while a trailing dollar sign ($) can
be used to force a suffix match. Thus, for example:
![\includegraphics[width=14cm,height=10cm]{smartblock.ps}](img30.png)
Allow .virgin.net$
Block virgin
will block address lookups of domain names containing the word `virgin', with the exception of Virgin airlines. Attempts to connect to these addresses will also be blocked.