I have a Sophos UTM with v9.712-13. I understand from Rule #2 in " rulz " that DNAT is evaluated before the firewall rules: the connection tracker (conntrack) first then Country Blocking then the 'ICMP' tab in 'Firewall': Traceroute and Ping…

I have been reading through Rulz and this earlier post trying to get my blackhole/null route working with DNAT since my firewall rules were not (as explained by Rulz). From the latter link, BAlfson said the following is a valid DNAT configuration: …