NAT and source IP filtering in PF, using OpenBSD >= 4.7

view full story

http://unix.stackexchange.com – I just read a book about PF (The Book Of PF, No Starch), but there's one question not answered by it. If I have a gateway machine using two interfaces, $int_if and $ext_if, and I NAT the packages coming from $int_if:net (which is, let's say, to $ext_if using match, when gets the NAT applied? Before or after the filtering rules? Example: match out on $ext_if from nat-to ($ext_if) pass out on $ext_if from block drop out on $ext_if from Does that work? Or gets the source IP of a packet coming from NATed to the address of $ext_if before (HowTos)