Hello,
I have looked through various info including when NAT happens in the
rules processing and I am still confused. I though that I could write a
pass out rule on my external interface that would cover all packets from
my internal range but I end up writing a rule that passes out on my
external interface with a source address of the internal range on my
firewall. Maybe this is the correct way of doing things and I have a
wire crossed in my brain. I have to write the rule like :
pass out quick on em0 proto tcp from 10.201.1.0/24 to any flags S keep
state
instead of:
pass out quick on em0 proto tcp from my.external.ip/32 to any flags S
keep state
in order for anything (www, IMAP etc) to work. Why would I write the
rule with my NAT'ed range and not my external IP? Hasn't NAT already
happened on coming in on the internal interface and passing to the
external interface?
Thank You,
Peter Clark
