Since translation occurs before filtering the filter engine will see packets as they look after any addresses and ports have been translated. Filter rules will therefore have to filter based on the translated address and port number.
It is my understanding and experiance that this does *not* mean on the interface in question: it is universal. That is, all NAT happens before any filtering, regardless of the interface(s) involved.
It is actually for the interface specified in the nat rule. Things to consider:
1. When pf is searching for a matching nat rule, the interface the packet is exiting is considered. If they are not the same, the rule is not considered a match
2. NAT only occurs on outgoing packets. Packets coming in on the internal interface cannot be NAT'd.
.joel
