From ff7cb6d60fd1787b2810370e2a1200034535bd16 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 20 Apr 2014 18:13:35 +0200
Subject: [PATCH] firewall: Fix accessing port forwardings from internal
 networks.

When a different "external port" was used, false rules have
been created in the mangle table.
---
 config/firewall/rules.pl | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 2c314d16e..c0ddcb2d6 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -354,20 +354,21 @@ sub buildrules {
 
 						# Destination NAT
 						if ($NAT_MODE eq "DNAT") {
-							# Make port-forwardings useable from the internal networks.
-							my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
-							unless ($nat_address ~~ @internal_addresses) {
-								&add_dnat_mangle_rules($nat_address, @options);
-							}
-
 							my @nat_options = ();
 							if ($protocol ne "all") {
 								my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1);
 								push(@nat_options, @nat_protocol_options);
 							}
+							push(@nat_options, @time_options);
+
+							# Make port-forwardings useable from the internal networks.
+							my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
+							unless ($nat_address ~~ @internal_addresses) {
+								&add_dnat_mangle_rules($nat_address, @nat_options);
+							}
+
 							push(@nat_options, @source_options);
 							push(@nat_options, ("-d", $nat_address));
-							push(@nat_options, @time_options);
 
 							my $dnat_port;
 							if ($protocol_has_ports) {
-- 
2.39.2