|
||||||||
sorry for my poor english. i'm curious why filter.inc will use 0/0 as the source/subnet when generating rdr rules? i think 0/32 is more appropriate. when 0/0 is used, ipf only checks the dst-port in the packets, the dst-addr field in the packets is ignored. with 0/32, ipf checks the both fields. so if 0/0 is used, when a packet is picked up by the interface, as long as its dst-port matches the rdr rule, it will be DNATed. that might not be what we want. and a feature request: in-bound nat on lan side. i think in-bound nat on lan interface should be enabled.that would allow people inside lan to access services published on wan side, using the wan if-addr, if those services are running on servers connected to opt interface(DMZ). _________________________________________________________ Do You Yahoo!? 150ÍòÇúMP3·è¿ñËÑ£¬´øÄú´³ÈëÒôÀÖµîÌà http://cn.rd.yahoo.com/mail_cn/tag/yisou/music/*http://music.yisou.com/ ÃÀÅ®Ã÷ÐÇÓ¦Óо¡ÓУ¬ËѱéÃÀͼ¡¢ÑÞͼºÍ¿áͼ http://cn.rd.yahoo.com/mail_cn/tag/yisou/image/*http://image.yisou.com 1G¾ÍÊÇ1000Õ×£¬ÑÅ»¢µçÓÊ×ÔÖúÀ©ÈÝ£¡ http://cn.rd.yahoo.com/mail_cn/tag/1g/*http://cn.mail.yahoo.com/event/mail_1g/ |