|
||||||||
sorry for my poor english. i'm curious why filter.inc will use 0/0 as the source/subnet when generating rdr rules? i think 0/32 is more appropriate. when 0/0 is used, ipf only checks the dst-port in the packets, the dst-addr field in the packets is ignored. with 0/32, ipf checks the both fields. so if 0/0 is used, when a packet is picked up by the interface, as long as its dst-port matches the rdr rule, it will be DNATed. that might not be what we want. and a feature request: in-bound nat on lan side. i think in-bound nat on lan interface should be enabled.that would allow people inside lan to access services published on wan side, using the wan if-addr, if those services are running on servers connected to opt interface(DMZ). __________________________________________________ ¸Ï¿ì×¢²áÑÅ»¢³¬´óÈÝÁ¿Ãâ·ÑÓÊÏä? http://cn.mail.yahoo.com |