Question that has dogged me for a while.

Karl Denninger karl at denninger.net
Sat May 6 03:32:33 UTC 2017 

On 5/5/2017 21:56, Dr. Rolf Jansen wrote:
> Am 05.05.2017 um 21:14 schrieb Karl Denninger <karl at denninger.net>:
>> On 5/5/2017 19:08, Dr. Rolf Jansen wrote:
>>> Am 05.05.2017 um 20:53 schrieb Karl Denninger <karl at denninger.net>:
>>>> On 5/5/2017 14:33, Julian Elischer wrote:
>>>>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote:
>>>>>> Resolving this with ipfw/NAT may easily become quite complicated, if
>>>>>> not impossible if you want to run a stateful nat'ting firewall, which
>>>>>> is usually the better choice.
>>>>>>
>>>>>> IMHO a DNS based solution is much more effective.
>>>>>>
>>>>>> On my gateway I have running the caching DNS resolver Unbound. Now
>>>>>> let's assume, the second level domain name in question is
>>>>>> example.com, and your web server would be accessed by
>>>>>> www.example.com, while other services, e.g. mail are served from
>>>>>> other sites on the internet.
>>>>> I believe this is a much cleaner solution thanusing double NAT.
>>>>> (see also my solution for if the server is also freebsd)
>>>>> even though we have a nice set of new IPFW capabilities that can do
>>>>> this, I still think double nat is an over complication of the system.
>>>>>
>>>> Well, the DNS answer is one that works IF you control the zone in
>>>> question every time. ...
>>> I do not understand "control the zone ... every time".
>>>
>>> I set up my transparent zones 5 years ago and never touched it again, and I don't see any "illegal" packets on my network caused by this either.
>>>
>>> I understand that you actually didn't grasp the transparent zone technic.
>>>
>>> Happy double nat'ting :-D
>> On the contrary I do understand it (and how to do it), along with how to
>> throw "off-network" packets at the other host.  Both ways work (unbound
>> is arguably simpler than BIND, but it'll work in both cases) but the
>> point is that you then must keep two things in sync rather than do one
>> thing in one place.
> With BIND you cannot setup a selectively transparent zone. You are talking about split DNS, and that's a different animal.
>
Well, sort of you can.

Look at "response-policy" in the options section of named.conf....  It
does basically the same sort of thing that you can do with unbound; it's
been there for a while.

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20170505/8e7806fe/attachment.bin>

More information about the freebsd-ipfw mailing list