Suggestions: re-address 192.168.100.130 to, say, 192.168.101.130 or change $IntNet to exclude it. (While keeping the rest of your network, of course.)
why so complicated? you can just block them on the internal interface. or use tags. or or or..
--As for the rest, it is mine.
Blocking them on the internal interface won't work: they've already been nat'ed. Tags I've never used, and didn't think of, but is the best option.
Of course what this looks like is a DMZ, so a better solution would probably be a three-legged firewall. But that may be far more work than Jim wants.
Daniel T. Staal
--------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------
