Question that has dogged me for a while.
Dr. Rolf Jansen
rj at obsigna.com
Sat May 6 00:08:40 UTC 2017
Am 05.05.2017 um 20:53 schrieb Karl Denninger <karl at denninger.net>:
> On 5/5/2017 14:33, Julian Elischer wrote:
>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote:
>>> Resolving this with ipfw/NAT may easily become quite complicated, if
>>> not impossible if you want to run a stateful nat'ting firewall, which
>>> is usually the better choice.
>>>
>>> IMHO a DNS based solution is much more effective.
>>>
>>> On my gateway I have running the caching DNS resolver Unbound. Now
>>> let's assume, the second level domain name in question is
>>> example.com, and your web server would be accessed by
>>> www.example.com, while other services, e.g. mail are served from
>>> other sites on the internet.
>>
>> I believe this is a much cleaner solution thanusing double NAT.
>> (see also my solution for if the server is also freebsd)
>> even though we have a nice set of new IPFW capabilities that can do
>> this, I still think double nat is an over complication of the system.
>>
> Well, the DNS answer is one that works IF you control the zone in
> question every time. ...
I do not understand "control the zone ... every time".
I set up my transparent zones 5 years ago and never touched it again, and I don't see any "illegal" packets on my network caused by this either.
I understand that you actually didn't grasp the transparent zone technic.
Happy double nat'ting :-D
More information about the freebsd-ipfw
mailing list