ipfilter 3.0.4

1 files changed, 70 insertions, 0 deletions

diff --git a/sbin/ipnat/ipnat.5 b/sbin/ipnat/ipnat.5
new file mode 100644
index 00000000000..51fdbee0def
--- /dev/null
+++ b/sbin/ipnat/ipnat.5
@@ -0,0 +1,70 @@
+.LP
+.TH IPNAT 5
+.SH NAME
+ipnat - IP NAT file format
+.SH DESCRIPTION
+The format for files accepted by ipnat is described by the following grammar:
+.LP
+.nf
+ipmap :: = mapit ifname ipmask "->" ipmask [ mapport ] .
+
+mapit ::= "map" | "rdr" .
+ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
+mapport ::= "portmap" tcpudp portnumber ":" portnumber .
+
+tcpudp ::= "tcp" | "udp" | "tcp/udp" .
+portnumber ::= number { numbers } .
+ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
+
+numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
+.fi
+.PP
+For standard NAT functionality, a rule should start with \fBmap\fP and then
+proceeds to specify the interface for which outgoing packets will have their
+source address rewritten.
+.PP
+Packets which will be rewritten can only be selected by matching the original
+source address.  A netmask must be specified with the IP address.
+.PP
+The address selected for replacing the original is chosen from an IP#/netmask
+pair.  A netmask of all 1's indicating a hostname is valid.  A netmask of
+31 1's (255.255.255.254) is considered invalid as there is no space for
+allocating host IP#'s after consideration for broadcast and network
+addresses.
+.PP
+When remapping TCP and UDP packets, it is also possible to change the source
+port number.  Either TCP or UDP or both can be selected by each rule, with a
+range of port numbers to remap into given as \fBport-number:port-number\fP.
+.SH Examples
+.PP
+To change IP#'s used internally from network 10 into an ISP provided 8 bit
+subnet at 209.1.2.0, the following would be used:
+.LP
+.nf
+map 10.0.0.0/8 -> 209.1.2.0/24
+.fi
+.PP
+The obvious problem here is we're trying to squeeze over 16,000,000 IP
+addresses into a 254 address space.  To increase the scope, remapping for TCP
+and/or UDP, port remapping can be used;
+.LP
+.nf
+map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
+.fi
+.PP
+which falls only 527,566 `addresses' short of the space available in network
+10.  If we were to combine these rules, they would need to be specified as
+follows:
+.LP
+.nf
+map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
+map 10.0.0.0/8 -> 209.1.2.0/24
+.fi
+.PP
+so that all TCP/UDP packets were port mapped and only other protocols, such as
+ICMP, only have their IP# changed.
+.SH FILES
+/etc/services
+/etc/hosts
+.SH SEE ALSO
+ipnat(1), ipf(5), ipnat(4)