Question that has dogged me for a while.
Karl Denninger
karl at denninger.net
Thu May 4 18:07:48 UTC 2017
On 5/4/2017 12:48, Dr. Rolf Jansen wrote:
> Resolving this with ipfw/NAT may easily become quite complicated, if not impossible if you want to run a stateful nat'ting firewall, which is usually the better choice.
>
> IMHO a DNS based solution is much more effective.
>
> On my gateway I have running the caching DNS resolver Unbound. Now let's assume, the second level domain name in question is example.com, and your web server would be accessed by www.example.com, while other services, e.g. mail are served from other sites on the internet.
>
> In unbound.conf you would place two additional lines before any forwarding directive:
>
> local-zone: "example.com" transparent
> local-data: "www.example.com" A 192.168.1.1
>
> All the clients on the LAN should use the DNS service on the gateway. In the first place Unbound does higher level DNS lookups locally, however, the transparent attribute lets it fall through to its normal recursive or forwarding behaviour in case a given domain could not be resolved locally. For example, the query of www.example.com would return 192.168.1.1 and the query for mail.example.com would be passed either to the forwarder or resolved recursively from the internet.
>
> By this way, local clients would directly access your web server from the inside, no NAT is needed.
>
> IMHO, a DNS server on the gateway got more advantages. It can be used to block access to fraudulent or otherwise useless services on the internet for the whole LAN.
>
> Best regards
>
> Rolf
>
That's another alternative I'm considering which might wind up being the
way I ultimately go....
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20170504/6e90d8d5/attachment.bin>
More information about the freebsd-ipfw
mailing list