Hello,

In the case where static roads are known on the green0 side by Ipfire and you want to filter on these networks, the firewall rules are duplicated in 3 specific cases.

1/
When a FORWARD rule has as its source a host or a network known since green0 and as a red0 interface output, we have an unnecessary rule that is added to INPUTWF.

2/
When a SNAT rule has as its source a host or network known from green0 with an IP redirection from green0 and as an output to a host of the same network known from green0, we have an unnecessary rule that is added to INPUTFW

3
When a DNAT rule with any network source and output to the firewall with a redirection of the destination IP to a host on the network known since green0, we have an unnecessary rule that is added to OUTGOINGFW.

An email was sent to the Ipfire development team to detail the 3 bugs. Below is a diagram to understand the infrastructure.

The objective is that Ipfire can filter/NAT on a network known since green0 without creating unwanted rules.


+-----------------------------+
| +----------+                |
| |          |                |
| |  SRV     | +--+           |
| |          |    |           |
| +----------+    |           |      192.168.X.0/24
|                 |           |      +----------->           +----------->
|  192.168.X.0/24 |           |          no NAT                   NAT
|                 |           |
|                 |           |
| +----------+    |      +---------+                 +---------+        +----------+
| |          |    |      |         | 192.168.y.252/30|         |        |          |
| |  PC      | +--+--+   |         | +-------------+ | Ipfire  | +----+ | INTERNET |
| |          |           |         |                 |         |        |          |
| +----------+           +---------+                 +---------+        +----------+
|                             |
+-----------------------------+

With kind regards