summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2003-03-04 23:40:04 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2003-03-04 23:40:04 +0000
commit52ee084d78d1cb168b9a28685df99485331a4386 (patch)
treec2a114e8be25c4d4d03557f9718deb9d66beab20
parentc4df9e14f8f7eb664b6d139147020d25d862ced7 (diff)
Add a paragraph explaining possible unwanted side-effects of redirecting
to the loopback address.
-rw-r--r--share/man/man5/pf.conf.518
1 files changed, 17 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 8f18398d7e3..ceb95e98568 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.207 2003/03/04 22:50:36 deraadt Exp $
+.\" $OpenBSD: pf.conf.5,v 1.208 2003/03/04 23:40:03 dhartmei Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -843,6 +843,22 @@ Redirections cannot reflect packets back through the interface they arrive
on, they can only be redirected to hosts connected to different interfaces
or to the firewall itself.
.Pp
+Note that redirecting external incoming connections to the loopback
+address, as in
+.Bd -literal -offset indent
+.Xo Ic rdr on ne3 inet proto tcp\
+.Ic to port 8025 -> 127.0.0.1 port 25
+.Xc
+.Ed
+.Pp
+will effectively allow an external host to connect to daemons
+bound solely to the loopback address, circumventing the traditional
+blocking of such connections on a real interface.
+Unless this effect is desired, any of the local non-loopback addresses
+should be used as redirection target instead, which allows external
+connections only to daemons bound to this address or not bound to
+any address.
+.Pp
.Sh PACKET FILTERING
.Xr pf 4
has the ability to