From a654577ac2a35b2ffc998698ee3c19b94a4562ef Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Mon, 12 Feb 2024 21:05:01 +0000
Subject: [PATCH] improve port-forwarding comment

---
 examples/demo-firewall.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/examples/demo-firewall.nix b/examples/demo-firewall.nix
index 923c306..88441e1 100644
--- a/examples/demo-firewall.nix
+++ b/examples/demo-firewall.nix
@@ -234,8 +234,10 @@ in {
     family = "ip";
     rules = [
       # This is where you put permitted incoming connections. If
-      # you're using NAT, the rules in this chain will see the
-      # internal (RFC1918) addresses.
+      # you're using NAT and want to forward a port from outside to
+      # devices on the LAN, then you need a DNAT rule in nat-rx chain
+      # *and* to accept the packet in this chain (specifying the
+      # internal (RFC1918) address).
     ];
   };