配置内网服务器多个端口出公网，安全策略要注意什么，求指教

# version 7.1.064, Release 9323P17 # sysname H3C # context Admin id 1 # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dhcp enable # password-recovery enable # vlan 1 # object-group ip address 2801-1 security-zone Trust 0 network host address 192.168.1.250 # object-group ip address neiwang security-zone Trust 0 network subnet 192.168.1.0 255.255.255.0 # object-group service 12000 0 service udp destination eq 12000 # object-group service 12000tcp 0 service tcp destination eq 12000 # object-group service 5060 0 service tcp destination eq 5060 # object-group service 5060UDP 0 service udp destination eq 5060 # object-group service 5062UDP 0 service udp destination eq 5062 # object-group service 5510 0 service tcp destination eq 5510 # object-group service 5511UDP 0 service udp destination eq 5511 # object-group service 7000UDP 0 service udp destination eq 7000 # object-group service 8000UDP 0 service udp destination eq 8000 # object-group service 8001UDP 0 service udp destination eq 8001 # object-group service 8002UDP 0 service udp destination eq 8002 # object-group service 8088 0 service tcp destination eq 8088 # object-group service 8088-80 0 service tcp destination range 80 8088 # object-group service 80tcp 0 service tcp destination eq 80 # dhcp server ip-pool NW gateway-list 192.168.1.1 network 192.168.1.0 mask 255.255.255.0 dns-list 114.114.114.114 202.103.224.68 static-bind ip-address 192.168.1.250 mask 255.255.255.0 hardware-address 2801 static-bind ip-address 192.168.1.251 mask 255.255.255.0 hardware-address 4444 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.254 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route ip address 180.140.242.150 255.255.255.0 ip address 180.140.242.151 255.255.255.0 sub nat outbound nat server protocol tcp global 180.140.242.150 5060 inside 192.168.1.250 5060 nat server protocol tcp global 180.140.242.150 5510 inside 192.168.1.250 5510 nat server protocol tcp global 180.140.242.150 8088 inside 192.168.1.250 80 nat server protocol tcp global 180.140.242.150 12000 inside 192.168.1.250 12000 nat server protocol udp global 180.140.242.150 5060 inside 192.168.1.250 5060 nat server protocol udp global 180.140.242.150 5062 inside 192.168.1.250 5062 nat server protocol udp global 180.140.242.150 5511 inside 192.168.1.250 5511 nat server protocol udp global 180.140.242.150 7000 inside 192.168.1.250 7000 nat server protocol udp global 180.140.242.150 8000 inside 192.168.1.250 8000 nat server protocol udp global 180.140.242.150 8001 inside 192.168.1.250 8001 nat server protocol udp global 180.140.242.150 8002 inside 192.168.1.250 8002 nat server protocol udp global 180.140.242.150 12000 inside 192.168.1.250 12000 # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.1.1 255.255.255.0 nat hairpin enable # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/5 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route # interface GigabitEthernet1/0/11 port link-mode route # interface GigabitEthernet1/0/12 port link-mode route # interface GigabitEthernet1/0/13 port link-mode route # interface GigabitEthernet1/0/14 port link-mode route # interface GigabitEthernet1/0/15 port link-mode route # interface GigabitEthernet1/0/16 port link-mode route # interface GigabitEthernet1/0/17 port link-mode route # interface GigabitEthernet1/0/18 port link-mode route # interface GigabitEthernet1/0/19 port link-mode route # interface GigabitEthernet1/0/20 port link-mode route # interface GigabitEthernet1/0/21 port link-mode route # interface GigabitEthernet1/0/22 port link-mode route # interface GigabitEthernet1/0/23 port link-mode route # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/2 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/1 # security-zone name Management import interface GigabitEthernet1/0/0 # scheduler logfile size 16 # line class aux user-role network-operator # line class console authentication-mode scheme user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 180.140.242.1 # ssh server enable # domain system # aaa session-limit ftp 16 aaa session-limit telnet 16 aaa session-limit ssh 16 domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$fknRGqXXoOfqsTUk$JFWEr3kzVP4TW9hountFQOQD/XPPirPiF2ysGsfxF0kJupZ6TKo4mkyxgCfgfGlqVDuaGv7kweWvSplZjWyTCw== service-type ssh telnet terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # session statistics enable # ip https enable webui log enable # uapp-control # security-policy ip rule 0 name shangwang action pass source-zone Trust destination-zone Untrust source-ip neiwang rule 1 name hutong action pass source-zone Trust source-zone Local destination-zone Local destination-zone Trust rule 2 name 2801-1 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 12000 rule 3 name 2801-2 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 8088 rule 4 name 2801-3 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 5060 rule 5 name 2801-4 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 5060UDP rule 6 name 2801-5 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 5062UDP rule 7 name 2801-6 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 5510 rule 8 name 2801-7 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 7000UDP rule 9 name 2801-8 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 8000UDP rule 10 name 2801-9 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 8001UDP rule 11 name 2801-10 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 8002UDP rule 12 name 2801-11 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 12000tcp rule 13 name 2801-12 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 5511UDP rule 14 name 2801-13 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 80tcp rule 15 name 2801-14 action pass source-zone Untrust destination-zone Trust destination-ip 2801-1 service 8088-80 #

这个是我的配置，外网输入公网加IP和端口8088无法访问，数据太长，无法发新帖提问

看了一下域间策略这里，只有源untrust到目的trust，没看到有源trust到目的untrust