diff --git a/source/manual/firewall.rst b/source/manual/firewall.rst
index df1dc459..ee9bfe5f 100644
--- a/source/manual/firewall.rst
+++ b/source/manual/firewall.rst
@@ -120,6 +120,11 @@ Our default deny rule uses this property for example (if no rule applies, drop t
     groups use :code:`300000` and interface rules land on :code:`400000` combined with the order in which they appear.
     Automatic rules are usually registered at a higher priority (lower number).
 
+.. Warning::
+
+    **NAT rules are always processed before filter rules!**
+    So for example, if you define a `NAT : port forwarding rules <nat.html#port-forwarding>`__  *without a associated rule*, i.e. **Filter rule association** set to **Pass**, this has the consequence, that no other rules will apply!
+
 .. Tip::
 
     The interface should show all rules that are used, when in doubt, you can always inspect the raw output of the ruleset in :code:`/tmp/rules.debug`