Volker Kuhlmann wrote:
Yes that's what I meant - you can't restrict source IPs in connection
with original destination port. As soon as a source IP is allowed, it
can access on any WAN port for which there is a NAT rule, so you can't
force certain source IPs to use certain WAN ports only.
Huh? That's not true at all. You don't need to permit any on the WAN,
you can limit that by source IP's on the WAN side. The only thing you
need to keep in mind is that NAT applies first, so you're permitting
traffic to the private IP and internal port.
i.e. if you're forwarding WAN port 888 to LAN 192.168.1.5 port 80, you
need the NAT on external port 888, internal IP 192.168.1.5, internal
port 80. Then you need a firewall rule on the WAN interface permitting
traffic from whatever sources you desire (any is the default if you
check "auto add firewall rule" on the NAT page, you want this if you
want anything on the Internet to be able to access this port) to
destination 192.168.1.5 port 80.
What I usually do is check the "auto add firewall rule" box, then go to
the firewall rules page and change the source from "any" to whatever I
want it to be, if I don't want it opened to the entire Internet. The
rule changes don't take place until you hit "apply changes", so it's not
opening you up to any additional exposure as long as you don't hit
"apply changes" before you have the firewall rules setup as you like.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
