Date: Fri, 5 May 2017 22:32:29 -0500 From: Karl Denninger <karl@denninger.net> To: freebsd-ipfw@freebsd.org Subject: Re: Question that has dogged me for a while. Message-ID: <cc24d01f-1984-78d4-802e-d791f9f996e4@denninger.net> In-Reply-To: <B0CD9D13-7EE7-46B2-B22A-0AC64A54FB18@obsigna.com> References: <26ccc7eb-bed3-680c-2c86-2a83684299fb@denninger.net> <08BB50FC-510C-4FCF-8443-0BB16EA2D032@obsigna.com> <6f304edb-ad2e-cb2a-eea9-7b6bbe0be760@freebsd.org> <52f73440-c1f0-7f08-0f8e-f912436ee686@denninger.net> <11FA2DA2-85AB-4E70-B9B5-CDADAAA3C295@obsigna.com> <29c05b94-be21-2090-03c5-f3905d3e2e06@denninger.net> <B0CD9D13-7EE7-46B2-B22A-0AC64A54FB18@obsigna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms000706050204070202040305 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 5/5/2017 21:56, Dr. Rolf Jansen wrote: > Am 05.05.2017 um 21:14 schrieb Karl Denninger <karl@denninger.net>: >> On 5/5/2017 19:08, Dr. Rolf Jansen wrote: >>> Am 05.05.2017 um 20:53 schrieb Karl Denninger <karl@denninger.net>: >>>> On 5/5/2017 14:33, Julian Elischer wrote: >>>>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >>>>>> Resolving this with ipfw/NAT may easily become quite complicated, = if >>>>>> not impossible if you want to run a stateful nat'ting firewall, wh= ich >>>>>> is usually the better choice. >>>>>> >>>>>> IMHO a DNS based solution is much more effective. >>>>>> >>>>>> On my gateway I have running the caching DNS resolver Unbound. Now= >>>>>> let's assume, the second level domain name in question is >>>>>> example.com, and your web server would be accessed by >>>>>> www.example.com, while other services, e.g. mail are served from >>>>>> other sites on the internet. >>>>> I believe this is a much cleaner solution thanusing double NAT. >>>>> (see also my solution for if the server is also freebsd) >>>>> even though we have a nice set of new IPFW capabilities that can do= >>>>> this, I still think double nat is an over complication of the syste= m. >>>>> >>>> Well, the DNS answer is one that works IF you control the zone in >>>> question every time. ... >>> I do not understand "control the zone ... every time". >>> >>> I set up my transparent zones 5 years ago and never touched it again,= and I don't see any "illegal" packets on my network caused by this eithe= r. >>> >>> I understand that you actually didn't grasp the transparent zone tech= nic. >>> >>> Happy double nat'ting :-D >> On the contrary I do understand it (and how to do it), along with how = to >> throw "off-network" packets at the other host. Both ways work (unboun= d >> is arguably simpler than BIND, but it'll work in both cases) but the >> point is that you then must keep two things in sync rather than do one= >> thing in one place. > With BIND you cannot setup a selectively transparent zone. You are talk= ing about split DNS, and that's a different animal. > Well, sort of you can. Look at "response-policy" in the options section of named.conf.... It does basically the same sort of thing that you can do with unbound; it's been there for a while. --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms000706050204070202040305 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC BlwwggZYMIIEQKADAgECAgE9MA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE2MTIxODE5NDUzNVoXDTIxMTIxNzE5NDUzNVowVzEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxGzAZBgNVBAMUEmthcmxAZGVubmluZ2VyLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAM2N5maxs7NkoY9g5NMxFWll0TYiO7gXrGZTo3q25ZJgNdPMwrntLz/5ewE9 07TEbwJ3ah/Ep9BfZm7JF9vTtE1HkgKtXNKi0pawNGm1Yn26Dz5AbUr1byby6dFtDJr14E07 trzDCtRRvTkOVSBj6PQPal0fAnDtkIYQBVcuMkXkuMCtyfE95pjm8g4K9l7lAcKii3T1/3rE hCc1o2nBnb7EN1/XwBeCDGB+I2SN/ftZDbKQqGAF5q9dUn+iXU7Z/CVSfUWmhVh6cVZA4Ftv TglUqj410OuPx+cUQch3h1kFgsuhQR63HiJc3HbRJllHsV0rihvL1CjeARQkhnA6uY9NLFST p5I/PfzBzW2MSmtN/tGZvmfKKnmtbfUNgkzbIR1K3lsum+yEL71kB93Xtz/4f1demEx5c8TJ RBIniDHjDeLGK1aoBu8nfnvXAvgthFNTWBOEoR49AHEPjC3kZj0l8JQml1Y8bTQD5gtC5txl klO60WV0EufU7Hy9CmynMuFtjiA2v71pm097rXeCdrAKgisdYeEESB+SFrlY65rLiLv4n8o1 PX7DqRfqKkOYIakZ0ug/yHVKcq2EM3RiJxwzls5gT70CoOBlKbrC98O8TA6teON0Jq30M06t NTI2HhvNbJDLbBH+Awf4h1UKB+0ufENwjVvF5Jfz8Ww/FaSDAgMBAAGjgfQwgfEwNwYIKwYB BQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgwCQYD VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQf Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUpfAI3y+751pp9A0w 6vJHx8RoR/MwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYwFIES a2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBiB6MlugxYJdccD8boZ/u8 d8VxmLkJCtbfyYHRjYdyoABLW5hE3k3xSpYCM9L7vzWyV/UWwDYKi4ZzxHo4g+jG/GQZfKhx v38BQjL2G9xD0Hn2d+cygOq3UPjVYlbbfQoew6JbyCFXrrZ7/0jvRMLAN2+bRC7ynaFUixPH Whnj9JSH7ieYdzak8KN+G2coIC2t2iyfXVKehzi5gdNQ0vJ7+ypbGsRm4gE8Mdo9N/WgFPvZ HPFqR9Dwas7Z+aHwOabpk5r/336SyjOaZsn3MqKJQZL6GqDKusVOCWt+9uFAD8kadg7FetZe atIoD9I+zbp59oVoMnkMDMx7Hi85faU03csusqMGsjSsAzWSI1N8PJytZlchLiykokLKc3OL G87QKlErotlou7cfPX2BbEAH5wmkj9oiqZhxIL/wwAUA+PkiTbEmksKBNompSjUq/6UsR8EA s74gnu17lmijv8mrg2qMlwRirE7qG8pnE8egLtCDxcjd0Of9WMi2NJskn0/ovC7P+J60Napl m3ZIgPJst1piYSE0Zc1FIat4fFphMfK5v4iLblo1tFSlkdx1UNDGdg/U+LaXkNVXlMp8fyPm R80V6cIrCAlEWnBJNxG1UyfbbsvNMCCZBM4faGGsR/hhQOiydlruxhjL6P8J2WV8p11DdeGx KymWoil2s1J5WTGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxv cmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRww GgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5c3Rl bXMgTExDIENBAgE9MA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA1MDYwMzMyMjlaME8GCSqGSIb3DQEJBDFCBEAF0uzo HIpqW6VO76nHRjkAP0MVnniahOLJXeEVK2520MQhAF18eZ/OxA7KLClYcv6e7x0UfSyvRvQE wIRksWCqMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI hvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT B0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExM QzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3VkYSBT eXN0ZW1zIExMQyBDQQIBPTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYTAlVT MRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEg U3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0B CQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECAT0wDQYJKoZIhvcNAQEBBQAEggIAoHBemC4Pro+O ZfZE+ph51bWO/JFBR2yXdte5Q/RtywuDrs5L1pXsqRrWBqz4x0Asd1qv8Kkq6txRxaJky5tv fcbA+O2o5Kcrzkq4O0SS+B4N4j7pcGqL8Rm3hV+HElhNvFNJgthxaLcs0ZHFboHRThnB7hjq X97Ri/EsSyYOVIFqALnZUgOd4UnerOsNmZx4I3SAxdI2bZpTi0/WbLc4z9JdQpN0/RUnjw+F h7lWWw7xYgjj9CPXUbuwVkJtWhiFE3eByNuXV6gFndlhe7Gdwv15wt0tXmfkH6q9u/sY4iYT 7ECQPIL3ispz2bfj/AnFQGX+TDe+Wv1X3CHvhGkZuFl1LTDmanqVGnDOfC3CmvwgBCyXHtXP lmNYaHWaCffYWoz9U6Ma0bLx3eFXKooFzc8ZkrBs1Xz3UxRcyQnekiKoICwM5TBA4u6GgUFl XU9h5xdrStskrtxx8xeLMjwCvO3PUwIcUkyiryXZ5gZG38Y5zw7e0Ytvikrt7VIaxoMDsxQM e+5MrEwyoZZmRKAtfAc7v7wW4DIAS4TTFFoLfL8IpC39IcT6ic56Lt2beeeNTXcD7BG0pw8O ylV1FscS3MBZK5gwoPGuYZHa8qwDbd8kG/tRM/Yn9CF8oISqcIO9U5wmWiqDugetrzmK70Sb grhtaC01aqI1fSCmqgF/CQQAAAAAAAA= --------------ms000706050204070202040305--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cc24d01f-1984-78d4-802e-d791f9f996e4>