[ previous ] [ next ] [ threads ]
 
 From:  edward mzj <edward underscore mzj at yahoo dot com dot cn>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  incorrect subnet-mask bit in 'rdr' rules?!
 Date:  Fri, 27 May 2005 16:53:46 +0800 (CST)
sorry for my poor english. 

i'm curious why filter.inc will use 0/0 as the source/subnet when generating rdr rules?
i think 0/32 is more appropriate. when 0/0 is used, ipf only checks the dst-port in the
packets, the dst-addr field in the packets is ignored. with 0/32, ipf checks the both 
fields. so if 0/0 is used, when a packet is picked up by the interface, as long as its
dst-port matches the rdr rule, it will be DNATed. that might not be what we want.

and a feature request: in-bound nat on lan side.
i think in-bound nat on lan interface should be enabled.that would allow people inside 
lan to access services published on wan side, using the wan if-addr, if those services
are running on servers connected to opt interface(DMZ).


__________________________________________________

http://cn.mail.yahoo.com