2

I am trying to figure out, whether or not it's possible to make sure, that if a user uses a browser and types in a domain name that ends on either "se" or "ru", they will be denied access to that site.

PS: this is a school assignment, and my teacher demands that I make use of tcp wrapper, so downloading some module that will do the trick is out of the question, unfortunately

Improve this question
4
  • 2
    Be much easier/quicker (but not the point of the assignment maybe) to set up a local DNS server and spoof being authoritative on your LAN for the TLDs you want to block access for. This is what I do at home, it is great being able to spoof Facebook with a message to my kids about "go do your homework instead"
    – ivanivan
    Commented May 1, 2019 at 17:09
  • I love that idea lol
    – Brad Bit
    Commented May 1, 2019 at 17:47
  • @ivanivan dnsmasq would be easier for a single computer. Saying that I also use a local BIND server to curb on advertisement/malware domains.
    – Rui F Ribeiro
    Commented May 2, 2019 at 7:35
  • If people are interested in DNS-based censorship, I recommend writing a dedicated question, where it would be easier to raise any limitations or caveats :-).
    – sourcejedi
    Commented May 2, 2019 at 13:32

2 Answers 2

Reset to default
7

No, it is not possible. (It might be a trick question :-).

TCP Wrapper (tcp_wrappers_7.6.tar.gz)

Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client host name of incoming telnet, ftp, rsh, rlogin, finger etc. requests.

To fetch a website, a web browser makes an outgoing request. (And web browsers do not abuse libwrap for a purpose it is not intended for.)

Improve this answer
2
  • by "no/ trick question", do you mean that it's impossible to make the restrictions I want with tcp wrappers? If so, I thought it might be the case, since my teacher has made mistakes in past assignments that he has corrected later on
    – Brad Bit
    Commented May 1, 2019 at 17:34
  • Thanks a ton. He mentioned iptables earlier (which I think also might be a bit outdated, but it should do the trick), so I think that's what he wants me to use :)
    – Brad Bit
    Commented May 2, 2019 at 13:19
1

TCP wrappers have been falling out of fashion. Webservers (Apache and others) might need to be compiled with support for TCP wrappers. Apache and Nginx have their own methods and modules which normally are used.

The Web server, Nginx, also does not support TCP wrappers, but there is a module to support them at this address: https://github.com/sjinks/ngx_tcpwrappers. This also requires compilation from source and has severe limitations.

It should be noted that TCP Wrappers have several peculiarities you should know about:

the most disappointing thing is that libwrap (library implementing TCP Wrappers functionality) is not a thread safe library. In other words, if two threads try to simultaneously use libwrap, the results could be weird. This is because libwrap uses non-reentrant functions like strtok(), gethostbyname(), gethostbyaddr() etc. If nginx is built with threading support (does it work yet?), use of libwrap can lead to performance penalties (because access to libwrap functions will have to be serialized). If nginx is configured without threading support (this is the default for Linux), everything is OK.
dynamic ACL configuration comes at a price: libwrap will read and parse /etc/hosts.allow and /etc/hosts.deny on every request; this may be an issue for high-loaded projects.

So in the end, using tcpwrappers is not feasible.

Improve this answer
2
  • 1
    Still, it looks like that module will only restrict incoming connections to Nginx, not the destination of outgoing or proxied connections.
    – telcoM
    Commented May 2, 2019 at 7:07
  • @telcoM The exercise does not make much sense as it is...
    – Rui F Ribeiro
    Commented May 2, 2019 at 7:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .