diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2003-06-03 12:18:03 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2003-06-03 12:18:03 +0000 |
commit | 852f407794d9f047e36e18df159cf35887f981a9 (patch) | |
tree | 432cf315f0b2a0c4f9636b19142bd5db9f053e2f /share/man | |
parent | 1d684f34c2256cea78c625b251fad407c89a138b (diff) |
make crystal clear that NAT happens before filtering and what that
means for the filter rules.
from Joel Knight again
ok cedric@, silence everybody else
Diffstat (limited to 'share/man')
-rw-r--r-- | share/man/man5/pf.conf.5 | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 7ea0515c6a5..590e84e919f 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.249 2003/06/02 20:05:49 david Exp $ +.\" $OpenBSD: pf.conf.5,v 1.250 2003/06/03 12:18:02 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -866,7 +866,19 @@ such a rule as long as they are not blocked by the filtering section of The translation engine modifies the specified address and/or port in the packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to the packet filter for evaluation. -Translation occurs before filtering. +.Pp +Since translation occurs before filtering the filter +engine will see packets as they look after any +addresses and ports have been translated. Filter rules +will therefore have to filter based on the translated +address and port number. In addition, packets that +match a translation rule are not automatically passed +through the packet filter; translated packets are +still subject to +.Ar block +and +.Ar pass +rules. .Pp The state entry created permits .Xr pf 4 @@ -931,11 +943,7 @@ option prefixed to a translation rule causes packets to remain untranslated, much in the same way as .Ar drop quick works in the packet filter (see below). -.Pp -If no rule matches the packet, the packet is passed to the filter unmodified. -Translation occurs before the filter rules are applied; -therefore rules for redirected packets should specify the address and port -after translation. +If no rule matches the packet it is passed to the filter engine unmodified. .Pp Translation rules apply only to packets that pass through the specified interface, and if no interface is specified, |