diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2003-10-24 19:32:00 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2003-10-24 19:32:00 +0000 |
commit | 60d40ef937404ccf56e671127398007aff350afc (patch) | |
tree | 4aa2fa86709e465e22a5368bf2b23ededc89b92f /share/man/man5/pf.conf.5 | |
parent | db6994ee4af1bc31c05989eeb418d5de89e61834 (diff) |
consistently use $ext_if / $int_if in the examples
from jared r r spiegel <jrrs@ice-nine.org>
ok canacar@ jmc@
Diffstat (limited to 'share/man/man5/pf.conf.5')
-rw-r--r-- | share/man/man5/pf.conf.5 | 57 |
1 files changed, 29 insertions, 28 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 075f201db27..5eab421a4e3 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.273 2003/10/07 20:18:36 deraadt Exp $ +.\" $OpenBSD: pf.conf.5,v 1.274 2003/10/24 19:31:59 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -2072,8 +2072,11 @@ This example maps incoming requests on port 80 to port 8080, on which a daemon is running (because, for example, it is not run as root, and therefore lacks permission to bind to port 80). .Bd -literal +# use a macro for the interface name, so it can be changed easily +ext_if = \&"ne3\&" + # map daemon on 8080 to appear to be on 80 -rdr on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080 +rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080 .Ed .Pp If the @@ -2081,7 +2084,8 @@ If the modifier is given, packets matching the translation rule are passed without inspecting the filter rules: .Bd -literal -rdr pass on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080 +rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e + port 8080 .Ed .Pp In the example below, vlan12 is configured as 192.168.168.1; @@ -2096,83 +2100,80 @@ for the nodes on vlan12. nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111 .Ed .Pp -In the example below, fxp1 is the outside interface; the machine sits between a -fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100. +In the example below, the machine sits between a fake internal 144.19.74.* +network, and a routable external IP of 204.92.77.100. The .Ar no nat rule excludes protocol AH from being translated. .Bd -literal # NO NAT -no nat on fxp1 proto ah from 144.19.74.0/24 to any -nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100 +no nat on $ext_if proto ah from 144.19.74.0/24 to any +nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100 .Ed .Pp -In the example below, fxp0 is the internal interface. -Packets bound -for one specific server, as well as those generated by the sysadmins -are not proxied; all other connections are. +In the example below, packets bound for one specific server, as well as those +generated by the sysadmins are not proxied; all other connections are. .Bd -literal # NO RDR -no rdr on fxp0 proto { tcp, udp } from any to $server port 80 -no rdr on fxp0 proto { tcp, udp } from $sysadmins to any port 80 -rdr on fxp0 proto { tcp, udp } from any to any port 80 -> 127.0.0.1 port 80 +no rdr on $int_if proto { tcp, udp } from any to $server port 80 +no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 +rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e + port 80 .Ed .Pp This longer example uses both a NAT and a redirection. -Interface kue0 is the outside interface, and its external address is -157.161.48.183. -Interface fxp0 is the inside interface, and we are running +The external interface has the address 157.161.48.183. +On the internal interface, we are running .Xr ftp-proxy 8 , listening for outbound ftp sessions captured to port 8021. .Bd -literal # NAT # Translate outgoing packets' source addresses (any protocol). # In this case, any address but the gateway's external address is mapped. -nat on kue0 inet from ! (kue0) to any -> (kue0) +nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) # NAT PROXYING # Map outgoing packets' source port to an assigned proxy port instead of # an arbitrary port. # In this case, proxy outgoing isakmp with port 500 on the gateway. -nat on kue0 inet proto udp from any port = isakmp to any -> (kue0) \e +nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e port 500 # BINAT # Translate outgoing packets' source address (any protocol). # Translate incoming packets' destination address to an internal machine # (bidirectional). -binat on kue0 from 10.1.2.150 to any -> (kue0) +binat on $ext_if from 10.1.2.150 to any -> ($ext_if) # RDR # Translate incoming packets' destination addresses. # As an example, redirect a TCP and UDP port to an internal machine. -rdr on kue0 inet proto tcp from any to (kue0) port 8080 -> 10.1.2.151 \e - port 22 -rdr on kue0 inet proto udp from any to (kue0) port 8080 -> 10.1.2.151 \e - port 53 +rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e + -> 10.1.2.151 port 22 +rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e + -> 10.1.2.151 port 53 # RDR # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. -rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 +rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 .Ed .Pp In this example, a NAT gateway is set up to translate internal addresses using a pool of public addresses (192.0.2.16/28) and to redirect incoming web server connections to a group of web servers on the internal network. -Interface fxp0 is the external interface. .Bd -literal # NAT LOAD BALANCE # Translate outgoing packets' source addresses using an address pool. # A given source address is always translated to the same pool address by # using the source-hash keyword. -nat on fxp0 inet from any to any -> 192.0.2.16/28 source-hash +nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash # RDR ROUND ROBIN # Translate incoming web server connections to a group of web servers on # the internal network. -rdr on fxp0 proto tcp from any to any port 80 \e +rdr on $ext_if proto tcp from any to any port 80 \e -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin .Ed .Sh FILTER EXAMPLES |