ipfilter：是否可以在每个区域重定向 ssh？

我有一台用于测试的服务器，我已在其上安装了 OmniOS，因为它可以模拟 linux（lx 品牌区域）和 Solaris（与 kvm-qemu 完美配合）。我可以在 192.168.0.0/24 网络上运行所有设备，但我更喜欢这样做：一台带有 2 个网卡的服务器：bge0 和 bge1，bge0 有 192.168.0.30 ip，bge1 有 10.2.0.1。虚拟机（区域和 kvm-qemu）在 10.2.0.1 网络上运行。所以我使用 ipfilter 制作了一个这样的防火墙

ipf 配置文件

# block and quick everything by default but pass on lo0
block in log on bge0 all
pass in quick on bge1 all
pass in quick on lo0 all

# These rules will allow connections initiated from
# this host along with the return connection
pass out quick proto icmp all keep state
pass out quick proto tcp all keep state
pass out quick proto udp all keep state

# Allow SecureShell incoming connections on 22 port 
pass in quick proto tcp from any to any port = 22 flags S keep state keep frags

ipnat.conf
map bge0 10.2.0.0/24 -> 0/32 portmap tcp/udp auto
map bge0 10.2.0.0/24 -> 0/32
rdr bge0 10.2.0.0/24 -> 10.2.0.3

使用一个 lx 区域 (10.2.0.3) 可以完美运行。我可以通过 192.168.0.0/24 网络客户端使用 ssh 访问它。我的问题是...如果我想要两台或更多机器，是否可以将 ssh 重定向到不同的机器？

例如

machine1-------->ssh------->lxzone1
machine1-------->ssh------->lxzone2

哪条规则适用于此？谢谢

ps 使用 solaris11.4 并使用 pf 代替 ipfilter（已删除），所有操作均可通过这个简单的 pf.conf 顺利完成

# Vars
ext_if="net0"
int_if="net1"
ext_net="192.168.0.0/24"
int_net="10.2.0.0/24"
webports="{443, 80}"

##  make IP reassembly work
set reassemble yes no-df

## ignore loopback traffic
set skip on lo0

# block everything unless told otherwise
# and send TCP-RST/ICMP unreachable
# for every packet which gets blocked
block return in log all
pass out all

# Pass
pass in on $int_if proto tcp from $ext_net to any keep state
pass in on $int_if proto udp from $ext_net to any keep state
pass in on $int_if proto tcp from $int_net to any keep state
pass in on $int_if proto udp from $int_net to any keep state

# accept incoming SSH connections
pass in proto tcp from any to $ext_if port 22

# accept icmp
pass in proto icmp all

## allow all connections initiated from this system,
## including DHCP requests
pass out

#nat
pass out on net0 from $int_net to any nat-to (net0)