[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Can't NAT on m0n0wall.
 Date:  Wed, 21 Jun 2006 14:09:37 -0400
On 6/21/06, Molle Bestefich <molle dot bestefich at gmail dot com> wrote:
>
> In my experience, m0n0wall is broken in a way that causes the firewall
> filter engine to see both translated and non-translated addresses.
>
> To make NAT work on m0n0wall, I created twice all rules that pertain
> to networks and devices with NATed addresses - one rule using the
> translated address and one rule using the untranslated.
>

No, this is completely wrong.  There's something really strange going
on if this makes something work.  I've never seen nor heard of anybody
having to do this.

NAT applies first, then firewall rules.  So all your rules on WAN must
refer to the private IP as the destination.  Nothing that hits NAT
will touch the firewall with the destination of a public IP.

-Chris