On Mon, Sep 02, 2002 at 01:58:14PM +0200, Clemens Dumat wrote: > This is your proposal. Maybe this is the only one that would be sensible to do, > but nevertheless i though about different ways of doing it :) The one thing that > i don't really like in this solution is that i would have to open a private IP > on the outer interface for this to work.
But that's what you're actually doing, even in your two other proposals: expose a local machine to the internet. In my opinion, the first approach is actually superior _because_ it makes it very clear what's going on. If you dislike the idea of exposing a local machine to the internet (we're only talking about port http in all cases), then you shouldn't be doing this redirection at all. The latter two forms just obfuscate this fact through syntax, they equally allow any external host to connect to the internal web server on port http. Or did I miss something? How are the latter two versions more restrictive, such that they block any packet that the first version doesn't? Daniel
