Closed zerwes closed 1 year ago
AdSchellevis
commented
1 year ago I don't think the priority really matters here, nat rules are always processed before filter rules.
https://github.com/opnsense/core/blob/49f63e8082962c11a43bc58fa8e597149ac1e528/src/etc/inc/filter.inc#L284-L287 https://github.com/opnsense/core/blob/49f63e8082962c11a43bc58fa8e597149ac1e528/src/etc/inc/filter.inc#L379-L386
zerwes
commented
1 year ago nat rules are always processed before filter rules
Yes, this is true, I just stepped into the pitfall with a nat rule and associated filter set to Pass. So I think mentioning the fact that nat rules are always processed before filter rules in the place where the priority of the rules is the topic might prevent other from making false assumptions. This might be clear for some people, but I think a hint at the right place is not hurting.
AdSchellevis
commented
1 year ago It certainly doesn't hurt to explain the order of things, I think we just better remove the priority phrase in this case as it doesn't really matter.
zerwes
commented
1 year ago OK, got the point @AdSchellevis, sorry, the coin took some time to drop :-/
AdSchellevis
commented
1 year ago @zerwes no problem, thanks for the update!
added a warning regarding the high prio of nat port forwarding rules and the consequences regarding port forwarding rules without a associated rule.