summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2003-10-24 19:32:00 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2003-10-24 19:32:00 +0000
commit60d40ef937404ccf56e671127398007aff350afc (patch)
tree4aa2fa86709e465e22a5368bf2b23ededc89b92f
parentdb6994ee4af1bc31c05989eeb418d5de89e61834 (diff)
consistently use $ext_if / $int_if in the examples
from jared r r spiegel <jrrs@ice-nine.org> ok canacar@ jmc@
-rw-r--r--share/man/man5/pf.conf.557
1 files changed, 29 insertions, 28 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 075f201db27..5eab421a4e3 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.273 2003/10/07 20:18:36 deraadt Exp $
+.\" $OpenBSD: pf.conf.5,v 1.274 2003/10/24 19:31:59 henning Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -2072,8 +2072,11 @@ This example maps incoming requests on port 80 to port 8080, on
which a daemon is running (because, for example, it is not run as root,
and therefore lacks permission to bind to port 80).
.Bd -literal
+# use a macro for the interface name, so it can be changed easily
+ext_if = \&"ne3\&"
+
# map daemon on 8080 to appear to be on 80
-rdr on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
+rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
.Ed
.Pp
If the
@@ -2081,7 +2084,8 @@ If the
modifier is given, packets matching the translation rule are passed without
inspecting the filter rules:
.Bd -literal
-rdr pass on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
+rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e
+ port 8080
.Ed
.Pp
In the example below, vlan12 is configured as 192.168.168.1;
@@ -2096,83 +2100,80 @@ for the nodes on vlan12.
nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
.Ed
.Pp
-In the example below, fxp1 is the outside interface; the machine sits between a
-fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100.
+In the example below, the machine sits between a fake internal 144.19.74.*
+network, and a routable external IP of 204.92.77.100.
The
.Ar no nat
rule excludes protocol AH from being translated.
.Bd -literal
# NO NAT
-no nat on fxp1 proto ah from 144.19.74.0/24 to any
-nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100
+no nat on $ext_if proto ah from 144.19.74.0/24 to any
+nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
.Ed
.Pp
-In the example below, fxp0 is the internal interface.
-Packets bound
-for one specific server, as well as those generated by the sysadmins
-are not proxied; all other connections are.
+In the example below, packets bound for one specific server, as well as those
+generated by the sysadmins are not proxied; all other connections are.
.Bd -literal
# NO RDR
-no rdr on fxp0 proto { tcp, udp } from any to $server port 80
-no rdr on fxp0 proto { tcp, udp } from $sysadmins to any port 80
-rdr on fxp0 proto { tcp, udp } from any to any port 80 -> 127.0.0.1 port 80
+no rdr on $int_if proto { tcp, udp } from any to $server port 80
+no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
+rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e
+ port 80
.Ed
.Pp
This longer example uses both a NAT and a redirection.
-Interface kue0 is the outside interface, and its external address is
-157.161.48.183.
-Interface fxp0 is the inside interface, and we are running
+The external interface has the address 157.161.48.183.
+On the internal interface, we are running
.Xr ftp-proxy 8 ,
listening for outbound ftp sessions captured to port 8021.
.Bd -literal
# NAT
# Translate outgoing packets' source addresses (any protocol).
# In this case, any address but the gateway's external address is mapped.
-nat on kue0 inet from ! (kue0) to any -> (kue0)
+nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
# NAT PROXYING
# Map outgoing packets' source port to an assigned proxy port instead of
# an arbitrary port.
# In this case, proxy outgoing isakmp with port 500 on the gateway.
-nat on kue0 inet proto udp from any port = isakmp to any -> (kue0) \e
+nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e
port 500
# BINAT
# Translate outgoing packets' source address (any protocol).
# Translate incoming packets' destination address to an internal machine
# (bidirectional).
-binat on kue0 from 10.1.2.150 to any -> (kue0)
+binat on $ext_if from 10.1.2.150 to any -> ($ext_if)
# RDR
# Translate incoming packets' destination addresses.
# As an example, redirect a TCP and UDP port to an internal machine.
-rdr on kue0 inet proto tcp from any to (kue0) port 8080 -> 10.1.2.151 \e
- port 22
-rdr on kue0 inet proto udp from any to (kue0) port 8080 -> 10.1.2.151 \e
- port 53
+rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e
+ -> 10.1.2.151 port 22
+rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e
+ -> 10.1.2.151 port 53
# RDR
# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8021.
-rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
+rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
.Ed
.Pp
In this example, a NAT gateway is set up to translate internal addresses
using a pool of public addresses (192.0.2.16/28) and to redirect
incoming web server connections to a group of web servers on the internal
network.
-Interface fxp0 is the external interface.
.Bd -literal
# NAT LOAD BALANCE
# Translate outgoing packets' source addresses using an address pool.
# A given source address is always translated to the same pool address by
# using the source-hash keyword.
-nat on fxp0 inet from any to any -> 192.0.2.16/28 source-hash
+nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash
# RDR ROUND ROBIN
# Translate incoming web server connections to a group of web servers on
# the internal network.
-rdr on fxp0 proto tcp from any to any port 80 \e
+rdr on $ext_if proto tcp from any to any port 80 \e
-> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
.Ed
.Sh FILTER EXAMPLES