View Single Post
Old 30th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Is there a best practice as to where the NAT rules should be placed?
I'm not sure if the practice is articulated as "Best", but I prefer to see overarching rules such as nat-to and scrub used in match rules, and the best place for match rules is at the top of the filter rules.

Historically, NAT and packet normalizations had their own rules that came before the filter set, so when we migrated to match we all left them in the same location, ahead of the pass/block rules. The match rules differ from block/pass in that the parameters they set always apply, the "last matching" rule does not apply to them.

(I note Peter Hansteen uses match rules and puts them in above all block/pass rules also. Anything Peter does with PF is, to me, a Best Practice. )
Reply With Quote