Quote:
Is there a best practice as to where the NAT rules should be placed?
|
I'm not sure if the practice is articulated as "Best", but I prefer to see overarching rules such as nat-to and scrub used in match rules, and the best place for match rules is at the top of the filter rules.
Historically, NAT and packet normalizations had their own rules that came before the filter set, so when we migrated to match we all left them in the same location, ahead of the pass/block rules. The match rules differ from block/pass in that the parameters they set always apply, the "last matching" rule does not apply to them.
(I note Peter Hansteen uses match rules and puts them in above all block/pass rules also. Anything Peter does with PF is, to me, a Best Practice.
)