Am 05.05.2017 um 20:53 schrieb Karl Denninger <k...@denninger.net>: > On 5/5/2017 14:33, Julian Elischer wrote: >> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >>> Resolving this with ipfw/NAT may easily become quite complicated, if >>> not impossible if you want to run a stateful nat'ting firewall, which >>> is usually the better choice. >>> >>> IMHO a DNS based solution is much more effective. >>> >>> On my gateway I have running the caching DNS resolver Unbound. Now >>> let's assume, the second level domain name in question is >>> example.com, and your web server would be accessed by >>> www.example.com, while other services, e.g. mail are served from >>> other sites on the internet. >> >> I believe this is a much cleaner solution thanusing double NAT. >> (see also my solution for if the server is also freebsd) >> even though we have a nice set of new IPFW capabilities that can do >> this, I still think double nat is an over complication of the system. >> > Well, the DNS answer is one that works IF you control the zone in > question every time. ...
I do not understand "control the zone ... every time". I set up my transparent zones 5 years ago and never touched it again, and I don't see any "illegal" packets on my network caused by this either. I understand that you actually didn't grasp the transparent zone technic. Happy double nat'ting :-D _______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"