added warning about high priority of nat rules (#445)

1 year ago · 65390e986d
parent 073d1e8cc9
commit 65390e986d
1 changed files with 5 additions and 0 deletions
--- a/source/manual/firewall.rst
+++ b/source/manual/firewall.rst
@ -120,6 +120,11 @@ Our default deny rule uses this property for example (if no rule applies, drop t
    groups use :code:`300000` and interface rules land on :code:`400000` combined with the order in which they appear.
    Automatic rules are usually registered at a higher priority (lower number).

+.. Warning::
+
+    **NAT rules are always processed before filter rules!**
+    So for example, if you define a `NAT : port forwarding rules <nat.html#port-forwarding>`__  *without a associated rule*, i.e. **Filter rule association** set to **Pass**, this has the consequence, that no other rules will apply!
+
 .. Tip::

    The interface should show all rules that are used, when in doubt, you can always inspect the raw output of the ruleset in :code:`/tmp/rules.debug`