At 10:08 PM -0700 10/7/01, Seth Kurtzberg wrote:
>I haven't been able to determine exactly how to construct the input rules,
>however.  Do I use the translated address on the filter rules?
>
>For the corresponding input filter rule, do I use:
>
>	pass in from any to 63.137.39.131/32 port = 80 group 100
>
>or should I be using:
>
>	pass in from any to 192.168.1.3/32 port = 80 group 100
>

NAT is done first.  Use the second rule.

I have a redirect to an HP JetDirect interface on a two-node "LAN" 
and found this out the hard way.  ;-)  It's actually documented 
somewhere in one of the FAQ's or something.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu