Date: Fri, 5 May 2017 19:14:46 -0500 From: Karl Denninger <karl@denninger.net> To: freebsd-ipfw@freebsd.org Subject: Re: Question that has dogged me for a while. Message-ID: <29c05b94-be21-2090-03c5-f3905d3e2e06@denninger.net> In-Reply-To: <11FA2DA2-85AB-4E70-B9B5-CDADAAA3C295@obsigna.com> References: <26ccc7eb-bed3-680c-2c86-2a83684299fb@denninger.net> <08BB50FC-510C-4FCF-8443-0BB16EA2D032@obsigna.com> <6f304edb-ad2e-cb2a-eea9-7b6bbe0be760@freebsd.org> <52f73440-c1f0-7f08-0f8e-f912436ee686@denninger.net> <11FA2DA2-85AB-4E70-B9B5-CDADAAA3C295@obsigna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms050102010609070601080905 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 5/5/2017 19:08, Dr. Rolf Jansen wrote: > Am 05.05.2017 um 20:53 schrieb Karl Denninger <karl@denninger.net>: >> On 5/5/2017 14:33, Julian Elischer wrote: >>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >>>> Resolving this with ipfw/NAT may easily become quite complicated, if= >>>> not impossible if you want to run a stateful nat'ting firewall, whic= h >>>> is usually the better choice. >>>> >>>> IMHO a DNS based solution is much more effective. >>>> >>>> On my gateway I have running the caching DNS resolver Unbound. Now >>>> let's assume, the second level domain name in question is >>>> example.com, and your web server would be accessed by >>>> www.example.com, while other services, e.g. mail are served from >>>> other sites on the internet. >>> I believe this is a much cleaner solution thanusing double NAT. >>> (see also my solution for if the server is also freebsd) >>> even though we have a nice set of new IPFW capabilities that can do >>> this, I still think double nat is an over complication of the system.= >>> >> Well, the DNS answer is one that works IF you control the zone in >> question every time. ... > I do not understand "control the zone ... every time". > > I set up my transparent zones 5 years ago and never touched it again, a= nd I don't see any "illegal" packets on my network caused by this either.= > > I understand that you actually didn't grasp the transparent zone techni= c. > > Happy double nat'ting :-D On the contrary I do understand it (and how to do it), along with how to throw "off-network" packets at the other host. Both ways work (unbound is arguably simpler than BIND, but it'll work in both cases) but the point is that you then must keep two things in sync rather than do one thing in one place. If double-nat'ing isn't supposed to work with in-kernel ipfw nat because the first nat never leaves an interface then it is what it is, but if it IS supposed to work then is not this misfeature a roach on the floor that perhaps ought to get squashed? --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms050102010609070601080905 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC BlwwggZYMIIEQKADAgECAgE9MA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE2MTIxODE5NDUzNVoXDTIxMTIxNzE5NDUzNVowVzEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxGzAZBgNVBAMUEmthcmxAZGVubmluZ2VyLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAM2N5maxs7NkoY9g5NMxFWll0TYiO7gXrGZTo3q25ZJgNdPMwrntLz/5ewE9 07TEbwJ3ah/Ep9BfZm7JF9vTtE1HkgKtXNKi0pawNGm1Yn26Dz5AbUr1byby6dFtDJr14E07 trzDCtRRvTkOVSBj6PQPal0fAnDtkIYQBVcuMkXkuMCtyfE95pjm8g4K9l7lAcKii3T1/3rE hCc1o2nBnb7EN1/XwBeCDGB+I2SN/ftZDbKQqGAF5q9dUn+iXU7Z/CVSfUWmhVh6cVZA4Ftv TglUqj410OuPx+cUQch3h1kFgsuhQR63HiJc3HbRJllHsV0rihvL1CjeARQkhnA6uY9NLFST p5I/PfzBzW2MSmtN/tGZvmfKKnmtbfUNgkzbIR1K3lsum+yEL71kB93Xtz/4f1demEx5c8TJ RBIniDHjDeLGK1aoBu8nfnvXAvgthFNTWBOEoR49AHEPjC3kZj0l8JQml1Y8bTQD5gtC5txl klO60WV0EufU7Hy9CmynMuFtjiA2v71pm097rXeCdrAKgisdYeEESB+SFrlY65rLiLv4n8o1 PX7DqRfqKkOYIakZ0ug/yHVKcq2EM3RiJxwzls5gT70CoOBlKbrC98O8TA6teON0Jq30M06t NTI2HhvNbJDLbBH+Awf4h1UKB+0ufENwjVvF5Jfz8Ww/FaSDAgMBAAGjgfQwgfEwNwYIKwYB BQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgwCQYD VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQf Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUpfAI3y+751pp9A0w 6vJHx8RoR/MwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYwFIES a2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBiB6MlugxYJdccD8boZ/u8 d8VxmLkJCtbfyYHRjYdyoABLW5hE3k3xSpYCM9L7vzWyV/UWwDYKi4ZzxHo4g+jG/GQZfKhx v38BQjL2G9xD0Hn2d+cygOq3UPjVYlbbfQoew6JbyCFXrrZ7/0jvRMLAN2+bRC7ynaFUixPH Whnj9JSH7ieYdzak8KN+G2coIC2t2iyfXVKehzi5gdNQ0vJ7+ypbGsRm4gE8Mdo9N/WgFPvZ HPFqR9Dwas7Z+aHwOabpk5r/336SyjOaZsn3MqKJQZL6GqDKusVOCWt+9uFAD8kadg7FetZe atIoD9I+zbp59oVoMnkMDMx7Hi85faU03csusqMGsjSsAzWSI1N8PJytZlchLiykokLKc3OL G87QKlErotlou7cfPX2BbEAH5wmkj9oiqZhxIL/wwAUA+PkiTbEmksKBNompSjUq/6UsR8EA s74gnu17lmijv8mrg2qMlwRirE7qG8pnE8egLtCDxcjd0Of9WMi2NJskn0/ovC7P+J60Napl m3ZIgPJst1piYSE0Zc1FIat4fFphMfK5v4iLblo1tFSlkdx1UNDGdg/U+LaXkNVXlMp8fyPm R80V6cIrCAlEWnBJNxG1UyfbbsvNMCCZBM4faGGsR/hhQOiydlruxhjL6P8J2WV8p11DdeGx KymWoil2s1J5WTGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxv cmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRww GgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5c3Rl bXMgTExDIENBAgE9MA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA1MDYwMDE0NDZaME8GCSqGSIb3DQEJBDFCBEDFIQgS EEILaOIy3MinV2Wcs/2iIrqz+HLPKfsNwgkbIYVVYmrFJUQHG9C7DMDkl053k1oaQ1Nu2RrV 67Jid6TvMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI hvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT B0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExM QzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3VkYSBT eXN0ZW1zIExMQyBDQQIBPTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYTAlVT MRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEg U3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0B CQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECAT0wDQYJKoZIhvcNAQEBBQAEggIAqKELDQm1lMZa oK5UFSHnxSBKoe5QQ9dM9fTaefye98LaXS54TrrKHhMGjHMu8yYAMO0APag9ewV2zEIqbpqZ C74GrttNT6V3kslXFFkq7/u34CrATvp/Adlz4w+GD/aNuZCK1JJMi8wZ9It5kLMTyEsmLt4P yJz/4XWkmmbNdd7jTotOSAh5XsJqxnVGuJkJe9ipcxrNfbrw9lNV4E8OMdaQOXC6NXD/aMhM 2TH3aSi1JnoNqGyduZGLRIuFQjH9cxQvpCOLcoMAFW1int9/ZqeEuimSY7MuQp7QVn93kBMY Hjf/EAPCK9SwQELDUsVLYMn/Igp6y4oikBNaL/tVXD1rDx5alYzAdJ53qrz1M2RBew4jOcyG IXU7KGEDZ3NqpAXAVCm9h38PgS+x0XfQLFQTyzRz5vR402+ShqIsc7eu2nvxU8OKqYxOLdEK iad6cwpGTuzqHD1DZ6Hl0CGs5YJnNeGdColLK6qrT9A5Gykk5B+bR7ZkKmLbJpX0JSxoryOW AyUPniHIaJPN6tWdvcpgBWuA8XzUmTvRKgvpmrSEwSgZwgNH7ILud5tHWJPT7mvx3sFLTCtt ICgvNZvJhBs5RTR7VOrX2ZxmgNYW85K3eSyo5VZ3+FrJ5Bb8kynw/ETyOK/rlMGT8tn/4lcj RUJHZxGVXsOKDwOOWamSHvgAAAAAAAA= --------------ms050102010609070601080905--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?29c05b94-be21-2090-03c5-f3905d3e2e06>