On Tue, Apr 11, 2000 at 12:50:23PM -0700, Steve wrote:
> Greetings, two things:
> 
> IPF/IPNAT-
> Although not specifically port-i386 specific, is there
> any documentation on ordering of  ipf and ipnat ?
> 
> It appears ipnat is layered below ipf, such that
> rdr's placed in ipnat bypass any blocks set in
> ipf.  Is this the implemented architecture?

No.  NAT does run *first*, but IPF still sees the packets -- it just sees
the addresses as rewritten by NAT.

No, this isn't obvious, but it's how it's always been and changing it would
break a lot of people's NAT/IPF rules.