Question that has dogged me for a while.

Karl Denninger karl at denninger.net
Sat May 6 00:14:49 UTC 2017 

On 5/5/2017 19:08, Dr. Rolf Jansen wrote:
> Am 05.05.2017 um 20:53 schrieb Karl Denninger <karl at denninger.net>:
>> On 5/5/2017 14:33, Julian Elischer wrote:
>>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote:
>>>> Resolving this with ipfw/NAT may easily become quite complicated, if
>>>> not impossible if you want to run a stateful nat'ting firewall, which
>>>> is usually the better choice.
>>>>
>>>> IMHO a DNS based solution is much more effective.
>>>>
>>>> On my gateway I have running the caching DNS resolver Unbound. Now
>>>> let's assume, the second level domain name in question is
>>>> example.com, and your web server would be accessed by
>>>> www.example.com, while other services, e.g. mail are served from
>>>> other sites on the internet.
>>> I believe this is a much cleaner solution thanusing double NAT.
>>> (see also my solution for if the server is also freebsd)
>>> even though we have a nice set of new IPFW capabilities that can do
>>> this, I still think double nat is an over complication of the system.
>>>
>> Well, the DNS answer is one that works IF you control the zone in
>> question every time. ...
> I do not understand "control the zone ... every time".
>
> I set up my transparent zones 5 years ago and never touched it again, and I don't see any "illegal" packets on my network caused by this either.
>
> I understand that you actually didn't grasp the transparent zone technic.
>
> Happy double nat'ting :-D
On the contrary I do understand it (and how to do it), along with how to
throw "off-network" packets at the other host.  Both ways work (unbound
is arguably simpler than BIND, but it'll work in both cases) but the
point is that you then must keep two things in sync rather than do one
thing in one place.

If double-nat'ing isn't supposed to work with in-kernel ipfw nat because
the first nat never leaves an interface then it is what it is, but if it
IS supposed to work  then is not this misfeature a roach on the floor
that perhaps ought to get squashed?

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20170505/cc9ffb57/attachment.bin>

More information about the freebsd-ipfw mailing list