On 5/4/2017 12:48, Dr. Rolf Jansen wrote: > Resolving this with ipfw/NAT may easily become quite complicated, if not > impossible if you want to run a stateful nat'ting firewall, which is usually > the better choice. > > IMHO a DNS based solution is much more effective. > > On my gateway I have running the caching DNS resolver Unbound. Now let's > assume, the second level domain name in question is example.com, and your web > server would be accessed by www.example.com, while other services, e.g. mail > are served from other sites on the internet. > > In unbound.conf you would place two additional lines before any forwarding > directive: > > local-zone: "example.com" transparent > local-data: "www.example.com" A 192.168.1.1 > > All the clients on the LAN should use the DNS service on the gateway. In the > first place Unbound does higher level DNS lookups locally, however, the > transparent attribute lets it fall through to its normal recursive or > forwarding behaviour in case a given domain could not be resolved locally. > For example, the query of www.example.com would return 192.168.1.1 and the > query for mail.example.com would be passed either to the forwarder or > resolved recursively from the internet. > > By this way, local clients would directly access your web server from the > inside, no NAT is needed. > > IMHO, a DNS server on the gateway got more advantages. It can be used to > block access to fraudulent or otherwise useless services on the internet for > the whole LAN. > > Best regards > > Rolf > That's another alternative I'm considering which might wind up being the way I ultimately go....
-- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
