Date: Fri, 5 May 2017 21:08:30 -0300 From: "Dr. Rolf Jansen" <rj@obsigna.com> To: Karl Denninger <karl@denninger.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: Question that has dogged me for a while. Message-ID: <11FA2DA2-85AB-4E70-B9B5-CDADAAA3C295@obsigna.com> In-Reply-To: <52f73440-c1f0-7f08-0f8e-f912436ee686@denninger.net> References: <26ccc7eb-bed3-680c-2c86-2a83684299fb@denninger.net> <08BB50FC-510C-4FCF-8443-0BB16EA2D032@obsigna.com> <6f304edb-ad2e-cb2a-eea9-7b6bbe0be760@freebsd.org> <52f73440-c1f0-7f08-0f8e-f912436ee686@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 05.05.2017 um 20:53 schrieb Karl Denninger <karl@denninger.net>: > On 5/5/2017 14:33, Julian Elischer wrote: >> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >>> Resolving this with ipfw/NAT may easily become quite complicated, if >>> not impossible if you want to run a stateful nat'ting firewall, = which >>> is usually the better choice. >>>=20 >>> IMHO a DNS based solution is much more effective. >>>=20 >>> On my gateway I have running the caching DNS resolver Unbound. Now >>> let's assume, the second level domain name in question is >>> example.com, and your web server would be accessed by >>> www.example.com, while other services, e.g. mail are served from >>> other sites on the internet. >>=20 >> I believe this is a much cleaner solution thanusing double NAT. >> (see also my solution for if the server is also freebsd) >> even though we have a nice set of new IPFW capabilities that can do >> this, I still think double nat is an over complication of the system. >>=20 > Well, the DNS answer is one that works IF you control the zone in > question every time. ... I do not understand "control the zone ... every time". I set up my transparent zones 5 years ago and never touched it again, = and I don't see any "illegal" packets on my network caused by this = either. I understand that you actually didn't grasp the transparent zone = technic. Happy double nat'ting :-D
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11FA2DA2-85AB-4E70-B9B5-CDADAAA3C295>