[lug] nat vs. Firewall question

[Chip Atkinson]

Greetings,

I was setting up a firewall machine which has three interfaces and does
dnat and snat between two of them.  It occurred to me that I can do things
two ways and wanted to get some opinions to see if there was a better way
of doing things.

Here are the options.
1) nat only the ports desired which means a bunch of nat rules and leave
most of these rules to do the screening implicitly

2) nat everything and establish separate input and output rules that take
care of the ports and protocols to allow through.

I don't see any explicit advantage or disadvantage to either method except
for wanting to minimize the number of rules traversed.

Any other thoughts?

Thanks.

Chp