summaryrefslogtreecommitdiff
path: root/share/man
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2002-02-23 01:08:19 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2002-02-23 01:08:19 +0000
commitdce355db542fb4a1b9d662fdfc4376cf77af2019 (patch)
treeded0bb60139fe4e76f0c2492d7dd9314cf066f82 /share/man
parentcddd16be4c2db53c67bedfefd5ce74ba9a0906a3 (diff)
Mention the two most FAQs near the top, I've explained these too many
times already.
Diffstat (limited to 'share/man')
-rw-r--r--share/man/man5/nat.conf.521
1 files changed, 20 insertions, 1 deletions
diff --git a/share/man/man5/nat.conf.5 b/share/man/man5/nat.conf.5
index 4a46c240942..4f64af3bb33 100644
--- a/share/man/man5/nat.conf.5
+++ b/share/man/man5/nat.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: nat.conf.5,v 1.21 2002/01/08 16:28:12 dhartmei Exp $
+.\" $OpenBSD: nat.conf.5,v 1.22 2002/02/23 01:08:18 dhartmei Exp $
.\"
.\" Copyright (c) 2001 Ian Darwin. All rights reserved.
.\"
@@ -59,6 +59,25 @@ An
.Em rdr
rule specifies an incoming connection to be redirected
to another host and optionally a different port.
+.Pp
+Note that all translation rules apply only to packets that pass through
+the specified interface.
+For instance, redirecting port 80 on an external interface to an
+internal web server will only work for connections originating from
+the outside.
+Connections to the address of the external interface from local hosts
+will not be redirected, since such packets do not actually pass through
+the external interface.
+Redirections can't reflect packets back through the interface they
+arrive on, they can only be redirected to hosts connected to different
+interfaces or to the firewall itself.
+.Pp
+Also note that all translations of packets occur before the filter
+rules in
+.Xr pf.conf 5
+are evaluated.
+Hence, 'pass in' rules for redirected packets should specify the
+address/port after translation.
.Sh GRAMMAR
Syntax for filter rules in BNF:
.Bd -literal