I used to track all those IPs during browsing websites. I defined undesired connections (ads and trackers), so decided to block them all. That's it
Then they're sort of "random samplings" of where you don't want to bother retrieving content from, rather than "hostile" IPs. In that case, you don't need to necessarily block them at the firewall.
You might want to consider a good plugin for your browser (I use uBlock Origin on my desktop systems) as the "best" option in my opinion.
Other things to explore would be DNS-based blocking with established lists, perhaps augmented by your own list. With cloud hosting, IP addresses can change very quickly, making hand-collected lists less valuable than they once were. Unless the IP lists are regularly updated, they may end up blocking "innocent" traffic. IP blocks are also problematic with multiple domains and websites being hosted on the same IP address, especially for IPv4.
The banip and adblock packages might be interesting to you to look into.
2 Likes
Thanks jeff. The fact that the IPs change frequently is the main problem here, but I'm ready to face it once an innocent service gets blocked.
I'd like to have the IPs blocked for any of my device, not just PC. I used to have a firewall installed on it, but it consumed a lot of CPU power to block that huge set of addresses. Moreover, there was an undesired system traffic that couldn't be blocked with a browser extension. So I want my portable router to do the stuff.
A few things. The first is Chaos Calmer is long past EOL and its kernel, wireless protocols, and third-party software have multiple, well-known, and actively exploited, severe security vulnerabilities. You do have to upgrade.
Current packages canât be used with a nearly five-year-old release.
5000 firewall rules is 100x reasonable. Moving to a set-based approach should speed things.
You donât need to block at the firewall those IPs to keep a device from requesting them. Returning âNXDOMAINâ from DNS means that device canât even determine what IP belongs to ads.example.com
I still suggest upgrading and using banIP or Adblock, trying it first without your custom list.
The Atheros AR9331, @400MHz is not a powerful SoC, but should be sufficient for 100 Mbps, reasonably configured. That probably includes not keeping LuCI open when youâre not configuring things.
4 Likes
That's what I'm going to figure out. Thanks for your advice.
2 Likes
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.