Date: Fri, 5 May 2017 23:56:43 -0300 From: "Dr. Rolf Jansen" <rj@obsigna.com> To: Karl Denninger <karl@denninger.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: Question that has dogged me for a while. Message-ID: <B0CD9D13-7EE7-46B2-B22A-0AC64A54FB18@obsigna.com> In-Reply-To: <29c05b94-be21-2090-03c5-f3905d3e2e06@denninger.net> References: <26ccc7eb-bed3-680c-2c86-2a83684299fb@denninger.net> <08BB50FC-510C-4FCF-8443-0BB16EA2D032@obsigna.com> <6f304edb-ad2e-cb2a-eea9-7b6bbe0be760@freebsd.org> <52f73440-c1f0-7f08-0f8e-f912436ee686@denninger.net> <11FA2DA2-85AB-4E70-B9B5-CDADAAA3C295@obsigna.com> <29c05b94-be21-2090-03c5-f3905d3e2e06@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 05.05.2017 um 21:14 schrieb Karl Denninger <karl@denninger.net>: > On 5/5/2017 19:08, Dr. Rolf Jansen wrote: >> Am 05.05.2017 um 20:53 schrieb Karl Denninger <karl@denninger.net>: >>> On 5/5/2017 14:33, Julian Elischer wrote: >>>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >>>>> Resolving this with ipfw/NAT may easily become quite complicated, = if >>>>> not impossible if you want to run a stateful nat'ting firewall, = which >>>>> is usually the better choice. >>>>>=20 >>>>> IMHO a DNS based solution is much more effective. >>>>>=20 >>>>> On my gateway I have running the caching DNS resolver Unbound. Now >>>>> let's assume, the second level domain name in question is >>>>> example.com, and your web server would be accessed by >>>>> www.example.com, while other services, e.g. mail are served from >>>>> other sites on the internet. >>>> I believe this is a much cleaner solution thanusing double NAT. >>>> (see also my solution for if the server is also freebsd) >>>> even though we have a nice set of new IPFW capabilities that can do >>>> this, I still think double nat is an over complication of the = system. >>>>=20 >>> Well, the DNS answer is one that works IF you control the zone in >>> question every time. ... >> I do not understand "control the zone ... every time". >>=20 >> I set up my transparent zones 5 years ago and never touched it again, = and I don't see any "illegal" packets on my network caused by this = either. >>=20 >> I understand that you actually didn't grasp the transparent zone = technic. >>=20 >> Happy double nat'ting :-D > On the contrary I do understand it (and how to do it), along with how = to > throw "off-network" packets at the other host. Both ways work = (unbound > is arguably simpler than BIND, but it'll work in both cases) but the > point is that you then must keep two things in sync rather than do one > thing in one place. With BIND you cannot setup a selectively transparent zone. You are = talking about split DNS, and that's a different animal.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B0CD9D13-7EE7-46B2-B22A-0AC64A54FB18>