I've got an issue with the firewall leaking private IP addresses to the Internet. Quite regularly I'm seeing packets leave the public interface without the source address being translated. The packets that typically make it through w/o NAT are RST or FIN packets, although not always. Two questions. First, is there any way to create a firewall rule that will match the src address after its been through the src-nat chain?

Second, what could be causing the source address to not be translated?

The firewall rules are quite simple:

Drop invalid packets in firewall.

Drop invalid packets in firewall.

Duh. Thank you. =) Sometimes you need someone to point out the obvious. I already had a rule to drop invalid connections but it was in the wrong place. Everything is working properly after relocating it.