From owner-freebsd-ipfw@freebsd.org Thu May 4 18:07:48 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C2A8D5E64E for ; Thu, 4 May 2017 18:07:48 +0000 (UTC) (envelope-from karl@denninger.net) Received: from mail.denninger.net (denninger.net [70.169.168.7]) by mx1.freebsd.org (Postfix) with ESMTP id 3670A39F for ; Thu, 4 May 2017 18:07:48 +0000 (UTC) (envelope-from karl@denninger.net) Received: from [192.168.10.40] (Karl-Desktop.Denninger.net [192.168.10.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.denninger.net (Postfix) with ESMTPSA id 66B9D36B9C for ; Thu, 4 May 2017 13:07:47 -0500 (CDT) Subject: Re: Question that has dogged me for a while. To: freebsd-ipfw@freebsd.org References: <26ccc7eb-bed3-680c-2c86-2a83684299fb@denninger.net> <08BB50FC-510C-4FCF-8443-0BB16EA2D032@obsigna.com> From: Karl Denninger Message-ID: Date: Thu, 4 May 2017 13:07:47 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: <08BB50FC-510C-4FCF-8443-0BB16EA2D032@obsigna.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms080501050205010002010804" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2017 18:07:48 -0000 This is a cryptographically signed message in MIME format. --------------ms080501050205010002010804 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 5/4/2017 12:48, Dr. Rolf Jansen wrote: > Resolving this with ipfw/NAT may easily become quite complicated, if no= t impossible if you want to run a stateful nat'ting firewall, which is us= ually the better choice. > > IMHO a DNS based solution is much more effective. > > On my gateway I have running the caching DNS resolver Unbound. Now let'= s assume, the second level domain name in question is example.com, and yo= ur web server would be accessed by www.example.com, while other services,= e.g. mail are served from other sites on the internet. > > In unbound.conf you would place two additional lines before any forward= ing directive: > > local-zone: "example.com" transparent > local-data: "www.example.com" A 192.168.1.1 > > All the clients on the LAN should use the DNS service on the gateway. I= n the first place Unbound does higher level DNS lookups locally, however,= the transparent attribute lets it fall through to its normal recursive o= r forwarding behaviour in case a given domain could not be resolved local= ly. For example, the query of www.example.com would return 192.168.1.1 an= d the query for mail.example.com would be passed either to the forwarder = or resolved recursively from the internet. > > By this way, local clients would directly access your web server from t= he inside, no NAT is needed. > > IMHO, a DNS server on the gateway got more advantages. It can be used t= o block access to fraudulent or otherwise useless services on the interne= t for the whole LAN. > > Best regards > > Rolf > That's another alternative I'm considering which might wind up being the way I ultimately go.... --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms080501050205010002010804 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC BlwwggZYMIIEQKADAgECAgE9MA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE2MTIxODE5NDUzNVoXDTIxMTIxNzE5NDUzNVowVzEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxGzAZBgNVBAMUEmthcmxAZGVubmluZ2VyLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAM2N5maxs7NkoY9g5NMxFWll0TYiO7gXrGZTo3q25ZJgNdPMwrntLz/5ewE9 07TEbwJ3ah/Ep9BfZm7JF9vTtE1HkgKtXNKi0pawNGm1Yn26Dz5AbUr1byby6dFtDJr14E07 trzDCtRRvTkOVSBj6PQPal0fAnDtkIYQBVcuMkXkuMCtyfE95pjm8g4K9l7lAcKii3T1/3rE hCc1o2nBnb7EN1/XwBeCDGB+I2SN/ftZDbKQqGAF5q9dUn+iXU7Z/CVSfUWmhVh6cVZA4Ftv TglUqj410OuPx+cUQch3h1kFgsuhQR63HiJc3HbRJllHsV0rihvL1CjeARQkhnA6uY9NLFST p5I/PfzBzW2MSmtN/tGZvmfKKnmtbfUNgkzbIR1K3lsum+yEL71kB93Xtz/4f1demEx5c8TJ RBIniDHjDeLGK1aoBu8nfnvXAvgthFNTWBOEoR49AHEPjC3kZj0l8JQml1Y8bTQD5gtC5txl klO60WV0EufU7Hy9CmynMuFtjiA2v71pm097rXeCdrAKgisdYeEESB+SFrlY65rLiLv4n8o1 PX7DqRfqKkOYIakZ0ug/yHVKcq2EM3RiJxwzls5gT70CoOBlKbrC98O8TA6teON0Jq30M06t NTI2HhvNbJDLbBH+Awf4h1UKB+0ufENwjVvF5Jfz8Ww/FaSDAgMBAAGjgfQwgfEwNwYIKwYB BQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgwCQYD VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQf Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUpfAI3y+751pp9A0w 6vJHx8RoR/MwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYwFIES a2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBiB6MlugxYJdccD8boZ/u8 d8VxmLkJCtbfyYHRjYdyoABLW5hE3k3xSpYCM9L7vzWyV/UWwDYKi4ZzxHo4g+jG/GQZfKhx v38BQjL2G9xD0Hn2d+cygOq3UPjVYlbbfQoew6JbyCFXrrZ7/0jvRMLAN2+bRC7ynaFUixPH Whnj9JSH7ieYdzak8KN+G2coIC2t2iyfXVKehzi5gdNQ0vJ7+ypbGsRm4gE8Mdo9N/WgFPvZ HPFqR9Dwas7Z+aHwOabpk5r/336SyjOaZsn3MqKJQZL6GqDKusVOCWt+9uFAD8kadg7FetZe atIoD9I+zbp59oVoMnkMDMx7Hi85faU03csusqMGsjSsAzWSI1N8PJytZlchLiykokLKc3OL G87QKlErotlou7cfPX2BbEAH5wmkj9oiqZhxIL/wwAUA+PkiTbEmksKBNompSjUq/6UsR8EA s74gnu17lmijv8mrg2qMlwRirE7qG8pnE8egLtCDxcjd0Of9WMi2NJskn0/ovC7P+J60Napl m3ZIgPJst1piYSE0Zc1FIat4fFphMfK5v4iLblo1tFSlkdx1UNDGdg/U+LaXkNVXlMp8fyPm R80V6cIrCAlEWnBJNxG1UyfbbsvNMCCZBM4faGGsR/hhQOiydlruxhjL6P8J2WV8p11DdeGx KymWoil2s1J5WTGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxv cmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRww GgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5c3Rl bXMgTExDIENBAgE9MA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA1MDQxODA3NDdaME8GCSqGSIb3DQEJBDFCBEAsCdg3 KyDoFGdSr6jb9RVm2NYZQVeGhE5AAhlv+CumIyQHCsQtLaJHmZMbyR2G6Y91CNKqRyCBxTrp dRyftSjwMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI hvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT B0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExM QzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3VkYSBT eXN0ZW1zIExMQyBDQQIBPTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYTAlVT MRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEg U3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0B CQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECAT0wDQYJKoZIhvcNAQEBBQAEggIAIs03sEPJ7YIh bE7HINAfuk5xdCHk3rY58ELoRX8pM80VFcuZeEH9PZIEpb/0y0sKEfApq7Q0TmfK+qPNsAk5 kyDdcmR9eHE5a6NqGycN+oaKZKcFb9Fj+soY7MCCTWg2961Dg0IXFdAQzSpwjQaAOtX7gEds Zcy0T0u2dSq9NnkiirKwCHdItAg2fGoOlQi4iCgDvel8SqV+x4ngoQvOPxrQIzDF6GV9KSRN Hk3Kub82UrTh6jdpk8sqNN1I5RuXCbf3FGmCjHF3YZsbzdj6pjkzvWWEugerQt2fVe+EV2nl aavCiuKz7iqEBcBDkFDoNOJen3puusuHQcz4Odr8yUvWhJT5wnUOeQ3M5nNcT4iDPWpyposV t3kZ388oGbVe7ioPSO93PpEmTZE/8rLmbsoNv8bAOQWT86rUUQYNkvo8YK6RKcgAVOi8Z4Ow k7/Wzio/laMO3jJpe5KzKzOokPTXV+XMWBmBiysqjkFCGKY5/GWjH3xo2Lc7dGY4AveV+OLP WxmgHwkUF7z2aV+RFp/1zC7n3PnKojtLME2FF3zQ8llYvZKxWs7fQ0OrHx+Y9wiWNhgqpGwD FEe7w7pjgtljgSfWD6vQJ1jrHdOF8Lsny/3MjllzAEE/Z4gcmbmP7Gpi8Cir7Musu3eRssza G/hA/g4CvavsJ+XlXzswb6cAAAAAAAA= --------------ms080501050205010002010804--