Firewall vs. NAT Order
-
Why are NAT rules processed before firewall rules? Seems like a firewall should be the outer most barrier and once a packet passes through the firewall then NAT'ed to the local system.
Is there anyway to flip the NAT vs. firewall order?
-
That's how it's done in pf. I'm sure there are discussions in the pf archive on the topic, but it's not just a bit you can flip like that, AFAIK.
There are advantages and disadvantages to both methods though, it's not quite so clear.