Am 05.05.2017 um 21:14 schrieb Karl Denninger <[email protected]>: > On 5/5/2017 19:08, Dr. Rolf Jansen wrote: >> Am 05.05.2017 um 20:53 schrieb Karl Denninger <[email protected]>: >>> On 5/5/2017 14:33, Julian Elischer wrote: >>>> On 5/5/17 1:48 am, Dr. Rolf Jansen wrote: >>>>> Resolving this with ipfw/NAT may easily become quite complicated, if >>>>> not impossible if you want to run a stateful nat'ting firewall, which >>>>> is usually the better choice. >>>>> >>>>> IMHO a DNS based solution is much more effective. >>>>> >>>>> On my gateway I have running the caching DNS resolver Unbound. Now >>>>> let's assume, the second level domain name in question is >>>>> example.com, and your web server would be accessed by >>>>> www.example.com, while other services, e.g. mail are served from >>>>> other sites on the internet. >>>> I believe this is a much cleaner solution thanusing double NAT. >>>> (see also my solution for if the server is also freebsd) >>>> even though we have a nice set of new IPFW capabilities that can do >>>> this, I still think double nat is an over complication of the system. >>>> >>> Well, the DNS answer is one that works IF you control the zone in >>> question every time. ... >> I do not understand "control the zone ... every time". >> >> I set up my transparent zones 5 years ago and never touched it again, and I >> don't see any "illegal" packets on my network caused by this either. >> >> I understand that you actually didn't grasp the transparent zone technic. >> >> Happy double nat'ting :-D > On the contrary I do understand it (and how to do it), along with how to > throw "off-network" packets at the other host. Both ways work (unbound > is arguably simpler than BIND, but it'll work in both cases) but the > point is that you then must keep two things in sync rather than do one > thing in one place.
With BIND you cannot setup a selectively transparent zone. You are talking about split DNS, and that's a different animal. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
