On 2010-04-20, Leonardo Carneiro - Veltrac <[email protected]> wrote:
>>
> I'm well aware that nat occurs before the filtering, but what about
> redirections that does not involve nat?
translation = NAT = Network Address Translation = nat and rdr and binat rules.
Since translation occurs before filtering, the filter engine will see
packets as they look after any addresses and ports have been translated.
Filter rules will therefore have to filter based on the translated ad-
dress and port number. Packets that match a translation rule are only
automatically passed if the pass modifier is given, otherwise they are
still subject to block and pass rules.
...
Evaluation order of the translation rules is dependent on the type of the
translation rules and the direction of a packet. binat rules are always
evaluated first. Then either the rdr rules are evaluated on an inbound
packet or the nat rules on an outbound packet. Rules of the same type
are evaluated in the same order in which they appear in the ruleset. The
first matching rule decides what action is taken.
