From owner-freebsd-ipfw@freebsd.org Sat May 6 02:56:53 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C969CD608F5 for ; Sat, 6 May 2017 02:56:53 +0000 (UTC) (envelope-from rj@obsigna.com) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 66FD97F for ; Sat, 6 May 2017 02:56:53 +0000 (UTC) (envelope-from rj@obsigna.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1494039410; l=2058; s=domk; d=obsigna.com; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Subject:Mime-Version:Content-Type; bh=Nqjve4kaEg6ex9Hryp05qaCPG+mXLtCb7/X6hEtKn94=; b=Yo/wPTYHYikf/vOctgOOlKQaQhOcEM+2QWg+5Eva+6LAhISYBSfITjOSklME2RIk0P F9PvTiweY/WvR6hotZrpm7NZMw63QngFVdYdOcHY4vkY98itsulb4iT/Q7II65beaU2m RHPyx6LveZo/8FVlCSpDNQhYy3OGW9DS/SRJo= X-RZG-AUTH: :O2kGeEG7b/pS1EK7WHa0hxqKZr4lnx6UhT0M0o35iAdWtoM07Gt3wQHFGhIn99HqS2s= X-RZG-CLASS-ID: mo00 Received: from mail.obsigna.com (bb02aec2.virtua.com.br [187.2.174.194]) by smtp.strato.de (RZmta 40.6 DYNA|AUTH) with ESMTPSA id 4041fft462ulClR (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Sat, 6 May 2017 04:56:47 +0200 (CEST) Received: from rolf.projectworld.net (rolf.projectworld.net [192.168.222.15]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.obsigna.com (Postfix) with ESMTPSA id 9C3D07506DB2; Fri, 5 May 2017 23:56:44 -0300 (BRT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: Question that has dogged me for a while. From: "Dr. Rolf Jansen" In-Reply-To: <29c05b94-be21-2090-03c5-f3905d3e2e06@denninger.net> Date: Fri, 5 May 2017 23:56:43 -0300 Cc: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <26ccc7eb-bed3-680c-2c86-2a83684299fb@denninger.net> <08BB50FC-510C-4FCF-8443-0BB16EA2D032@obsigna.com> <6f304edb-ad2e-cb2a-eea9-7b6bbe0be760@freebsd.org> <52f73440-c1f0-7f08-0f8e-f912436ee686@denninger.net> <11FA2DA2-85AB-4E70-B9B5-CDADAAA3C295@obsigna.com> <29c05b94-be21-2090-03c5-f3905d3e2e06@denninger.net> To: Karl Denninger X-Mailer: Apple Mail (2.1878.6) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2017 02:56:53 -0000 Am 05.05.2017 um 21:14 schrieb Karl Denninger : > On 5/5/2017 19:08, Dr. Rolf Jansen wrote: >> Am 05.05.2017 um 20:53 schrieb Karl Denninger : >>> On 5/5/2017 14:33, Julian Elischer wrote: >>>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >>>>> Resolving this with ipfw/NAT may easily become quite complicated, = if >>>>> not impossible if you want to run a stateful nat'ting firewall, = which >>>>> is usually the better choice. >>>>>=20 >>>>> IMHO a DNS based solution is much more effective. >>>>>=20 >>>>> On my gateway I have running the caching DNS resolver Unbound. Now >>>>> let's assume, the second level domain name in question is >>>>> example.com, and your web server would be accessed by >>>>> www.example.com, while other services, e.g. mail are served from >>>>> other sites on the internet. >>>> I believe this is a much cleaner solution thanusing double NAT. >>>> (see also my solution for if the server is also freebsd) >>>> even though we have a nice set of new IPFW capabilities that can do >>>> this, I still think double nat is an over complication of the = system. >>>>=20 >>> Well, the DNS answer is one that works IF you control the zone in >>> question every time. ... >> I do not understand "control the zone ... every time". >>=20 >> I set up my transparent zones 5 years ago and never touched it again, = and I don't see any "illegal" packets on my network caused by this = either. >>=20 >> I understand that you actually didn't grasp the transparent zone = technic. >>=20 >> Happy double nat'ting :-D > On the contrary I do understand it (and how to do it), along with how = to > throw "off-network" packets at the other host. Both ways work = (unbound > is arguably simpler than BIND, but it'll work in both cases) but the > point is that you then must keep two things in sync rather than do one > thing in one place. With BIND you cannot setup a selectively transparent zone. You are = talking about split DNS, and that's a different animal.