[Firehol-support] securing via NAT and interface vs router security

[Wojtek Swiatek]

Hello everyone,

I have a network made of containers and physical machines, all of them are
behind firehol. There is also an Internet-facing interface.
Some of the services on these machines need to be available from internet,
so I NETted them:

dnat4 to 10.200.0.6 inface int0 proto tcp dport 25565

The interface (br0) which holds 10.200.0.6 is completely open:

interface4 lan+,br+,tun+,wg+ lan
    # all traffic into services on the LAN interfaces accepted
    client all accept
    server all accept
    policy accept

My intent is to have an "accept all" set of services (there is no need for
partitioning / filtering inside my network) and secure the access by
NATting the traffic. Are there any drawbacks to that?

Generally speaking, I am a bit confused by NAT vs interface vs router. To
take the example above, 10.200.0.6 exposes on port 25565. If I want to come
from Internet, I hit the dnat rule which forwards the packet to 10.200.0.6.
And then which rules apply?
- the interface ones? The first note at
https://firehol.org/firehol-manual/firehol-interface/ seems to say no (?)
- the router ones? It would make sense as the packet is moving from int0 to
br0 (two interfaces). But in that case what is the interface for? Only for
traffic coming from an interface directed to the same interface?

Thank you in advance for any pointers