NAT and Floating rules

[BenKenobi]

Can somebody have a look at priorities for blocking traffic vs port forwarding / NAT

I've just spotted this in my email server logs

lost connection after CONNECT from house.census.shodan.io[89.248.172.16]\nMay

but house.census.shodan.io is in a block list - (Alias configured as URL (IPs) and allocated to a floating block rule applied to all interfaces). The fact that this log entry exists tells me that something isn't working - shodan should have been blocked.

I don't want to debate the value of blocking such people - I don't invite strangers into my house to look around - this kind of intrusive scanning is no different to me.

I've also seen some 'attacked blocked' notices to port 80 on a system from Kaspersky but considered Kaspersky at fault as there is no port 80 forwarding to that system - now I'm not so sure OPNsense is doing what I expect.

For now I've moved the block rules to the interfaces and put them before any NAT generated rules, I'll be a bit disappointed if I see entries that I shouldn't in event logs going forward.