Do I have to add both NAT and LAN/DMZ rules for external access?

From:	"Frank Tarczynski" <ftarz at mindspring dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Do I have to add both NAT and LAN/DMZ rules for external access?
Date:	Thu, 7 Jun 2007 14:49:44 -0400 (EDT)

I'm new to m0n0wall and still learning.  I'm moving from IPCop to m0n0wall
and need some help in translating rules.

I have 4 external SMTP servers that forward mail to me, so I want to open
port 25 to them.

I tried creating these rules for my DMZ segment:

Proto 	 Source 		 	Port	Destination 	Port 		Description
*		 RFC 1918 networks 	* 	* 		 	* 		Block private networks
TCP 		 XXX.XXX.XXX.XXX 	* 	192.168.0.2 	25 (SMTP) 	SMTP
TCP 		 XXX.XXX.XXX.XXX	* 	192.168.0.2 	25 (SMTP) 	SMTP
TCP 		 XXX.XXX.XXX.XXX	* 	192.168.0.2 	25 (SMTP) 	SMTP
TCP 		 XXX.XXX.XXX.XXX	* 	192.168.0.2 	25 (SMTP)	SMTP

as this is all I would need with IPCop.  But still all SMTP connections
were blocked.

So I figured I need to add this to my NAT rules:

Firewall: NAT: Inbound
If 	Proto 	Ext. port range 	NAT IP 		Int. port range
WAN	TCP 		25 (SMTP) 		192.168.0.2 	25 (SMTP)

and now my SMTP connections were allowed.

But then it appeared that m0n0wall added this in my DMZ rules:

TCP 		 * 		 		* 	192.168.0.2 	25 (SMTP) 	NAT

Not wanting to be an open to everyone I changed this rule to block SMTP
connections and figured that since it follows the DMZ rules above all
would be good.

This seems to work fine so far.  The question is: am I doing this right?

Frank