sorry for my poor english.
i'm curious why filter.inc will use 0/0 as the source/subnet when generating rdr rules?
i think 0/32 is more appropriate. when 0/0 is used, ipf only checks the dst-port in the
packets, the dst-addr field in the packets is ignored. with 0/32, ipf checks the both
fields. so if 0/0 is used, when a packet is picked up by the interface, as long as its
dst-port matches the rdr rule, it will be DNATed. that might not be what we want.
and a feature request: in-bound nat on lan side.
i think in-bound nat on lan interface should be enabled.that would allow people inside
lan to access services published on wan side, using the wan if-addr, if those services
are running on servers connected to opt interface(DMZ).