Which is arguably a security issue if things do work as you've described.
Scenario A:
I've forwarded anything sent to UDP/80 to 192.168.1.20.
You're on 192.168.1.30 and you send a packet to 10.20.30.40:50 using UDP, source port 80.
An incoming packet from 10.20.30.40:50 now goes where? 192.168.1.20:80 or 192.168.1.30:80?
What stops me at 192.168.1.30:80 sending out packets to every IP, flooding the connection state table and effectively DoSing 192.168.1.20:80 without ever touching it?
...or should the connection actually go to 192.168.1.20:80 always, because that's what I've statically defined for all traffic on UDP/80 to do?
I guess the question is: which should take precendence, the dynamic session table, or the static configuration?
Scenario A:
I've forwarded anything sent to UDP/80 to 192.168.1.20.
You're on 192.168.1.30 and you send a packet to 10.20.30.40:50 using UDP, source port 80.
An incoming packet from 10.20.30.40:50 now goes where? 192.168.1.20:80 or 192.168.1.30:80?
What stops me at 192.168.1.30:80 sending out packets to every IP, flooding the connection state table and effectively DoSing 192.168.1.20:80 without ever touching it?
...or should the connection actually go to 192.168.1.20:80 always, because that's what I've statically defined for all traffic on UDP/80 to do?
I guess the question is: which should take precendence, the dynamic session table, or the static configuration?