Firewall vs. NAT Order
Why are NAT rules processed before firewall rules? Seems like a firewall should be the outer most barrier and once a packet passes through the firewall then NAT'ed to the local system.
Is there anyway to flip the NAT vs. firewall order?
That's how it's done in pf. I'm sure there are discussions in the pf archive on the topic, but it's not just a bit you can flip like that, AFAIK.
There are advantages and disadvantages to both methods though, it's not quite so clear.