On 6/25/05, Cvetomir Conev <cvetomirconev at gmail dot com> wrote:
> The address of the OPT interface is 10.1.180.95/25.
> I don't know what could possibly be the reason to open such a large
> hole in the firewall based on the existence of the static route alone.
> It might be useful in some specific scenario, for example multiple
> internal networks. I'm glad you removed it in the later versions.
Ok, I believe I remember what Manuel said about that now. When you
add a static route, it adds those rules to allow traffic in and out of
the *same interface only*. It's not allowing those networks to
anything other than each other, and only on the OPT interface.
They're added on the back end because Manuel didn't want to keep state
on traffic passed into and out of the same interface, for performance
Because your static route technically wasn't specific enough (the /8
includes local networks that shouldn't have a static route), it falls
into the category of things that get screwed up by that methodology.