Table of Contents
Click an item to jump directly to that question.
1. Should I use pre-NAT or post-NAT addresses/ports in Firewall rules?
Firewall rules always match on the address which has more information. In other words, if the entire internal network is being NAT'd from 192.168.*.* to 18.104.22.168, Firewall will match on the 192.168.*.* for traffic to and from this network. At the session layer this works out to be pre-NAT on source address, post-NAT on destination address, pre-NAT on source port, and post-NAT on destination port. An easy way to remember this is that it always matches where it gets the most information.
2. How do I lock down my network but for a few exceptions via the Firewall application?
Simply add a rule with no conditions, set it to Block, and put it at the bottom of the list. This will match all traffic, so anything not explicitly passed in a rule above it will be blocked.
3. Why aren't my Firewall rules being triggered?
Firewall rules work from top to bottom; the first rule that the traffic matches will fire. If you have a broad rule near the top of your list that is matching, no other rules will be evaluated.