I discovered something that seemed strange at first, but is somewhat

I have multiple /29 subnets assigned to the public interface of my BM
server. I am nat'ing addresses from each subnet to internal hosts. This
was working fine when packet filters weren't loaded. I wanted to start
filtering and setup a stateful exception for port 80 with a destination
address of the internal host. This has worked perfectly for me in the past,
but didn't do the job here.

I captured the traffic and found that there is a public to public
translation that happens in this case. The nat'ing only REALLY happens on
the actual binding for the nic. Is it SAFE to create an exception that
allows all PUBLIC to PUBLIC traffic to deal with this situation. My normal
filters will work fine if this is in place.

Am I doing something wrong or is this supposed to work this way?