I have some NAT port redirections which stopped working after a recent upgrade from 3.3.6 to 3.3.7.

I discovered that the firewall was blocking reverse traffic from these redirections (e.g. WAN->LAN SYN was passed, but LAN->WAN SYN ACK and hello was blocked - the block was recorded in the syslog). My default rule is block all.

Looking at my firewall rules, I realised that for some time I have had an odd inconsistency that I had forward and reverse rules for some NAT port redirections, but not others (e.g. WAN to LAN any source->nat target [mail server], any source port to dest port 25. I have had to add LAN to WAN nat target [mail server]->any destination, source port 25 to any dest port).

I'm now left wondering if:

a) I should have always had the reverse rules and was exploiting some bug in the firewall that was fixed in 3.3.7
b) I should never need the reverse rules (it does seem odd that I would need the reverse rule, and I don't really want outside traffic to initiate connections which having the reverse rule would appear to allow) and a bug has been introduced in 3.3.7.
c) [Having read the forum for other firewall/upgrade related rules] If this problem is because I didn't use the rst firmware and re-key all my config.

Does anyone know if I should have the reverse rules?

Do the reverse rules behave differently for NAT vs no-NAT sessions? (I don't have any reverse rules for dynamic NATs and I definitely wouldn't want any).

I saw several people mention printing out the config - is there a better way to do this than take screen shots of every config page - which seems very tedious?

Sorry - many questions. Thanks in advance for any suggestions/answers.