The match rule is "sticky" -- it sets options that remain in effect for any following pass or block.
For Network Address Translation, it is an easy way to apply the nat-to option to all of the subsequent pass rules which may apply to that traffic.
Traffic that is NATted must be passed, in any event, either with an explict nat-to or a nat-to included in a previous match rule.
Last edited by jggimi; 4th February 2014 at 01:44 AM.
Reason: clarity
|