> you can limit that by source IP's on the WAN side. The only thing you > need to keep in mind is that NAT applies first, so you're permitting > traffic to the private IP and internal port.
Yes, that's exactly what I pointed out to the person trying to set up NAT rules: the NAT is first, so the filter rules have to match the *target* of the NAT, not the source of the NAT (which I was expecting to at first too). A quick hint in the small text of the NAT page would be good, otherwise there is an explicit assumption that the pfsense operator knows internal details of BSD packet routing and filtering. As a side effect of the NAT-first, you can *NOT* limit access based on the dest port of the incoming packet, as that has already been NATed into oblivion by the time the packet reaches the filter rules. (It's possible to do this with iptables.) If I am wrong, I don't mind being told how to set it up otherwise. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]