Subject: Question about ipf and ipnat
To: None <>
From: Seth Kurtzberg <>
List: tech-net
Date: 10/07/2001 22:08:07

Does any know the order of application of NAT rules and IPF rules?  That is, 
does address translation occur before or after the application of IPF rules?

It appears that for outgoing packets, filter rules are applied to the address 
before NAT is applied; that is, the untranslated address needs to be used in 
the IPF rules.  This works well.

I haven't been able to determine exactly how to construct the input rules, 
however.  Do I use the translated address on the filter rules?

To be clear, I have a web server which is  Internally it is  For the output filter, I have a rule:

	pass out from port = 80 to any group 100

which works.  The packets arriving at my test machine (connected to my DMZ 
between the NETBSD machine and my border gateway) show a source address of, which is correct.

For the corresponding input filter rule, do I use:

	pass in from any to port = 80 group 100

or should I be using:

	pass in from any to port = 80 group 100


The packets for this path actually are diverted to a transparent proxy in a 
firewall, but this firewall is on the other side of the machine where I am 
setting the filter rules, and operates transparently.  That is, I have a two 
stage firewall, and the packets are diverted on the inner firewall, but the 
question is about the filter rules on the outer firewall which is unaware of 
the existence of the inner firewall (except that routes go through the inner 
firewall, of course).  As the output filter rule works as expected, I don't 
think any configuration of the inner firewall is relevant to this question, 
but I include the information just in case.

Thanks in advance...
Seth Kurtzberg
Machine Independent Software
Office:  (480) 661-1849
Fax: (480) 614-8909
pager:  888-605-9296 or email