I just upgraded a router box from 1.4 to 1.4.2. This system has been
running fine for well over a year using ipf and ipnat. The ipf inbound
rules used to filter using the static PPP address obtained from the ISP.
Now it seems that NAT is done before filtering.

a) Is it true that NAT is now done pre-filter? Based on the ipfilter website
   it appears to be the case.

b) This seems more likely to open holes since I have to write rules that
   allow packets through that have my internal (private) addresses as the
   destination or am I missing something?

scott