summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--share/man/man5/pf.conf.514
1 files changed, 12 insertions, 2 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index ebc267ae453..73330d1b481 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.487 2011/01/20 08:44:12 sthen Exp $
+.\" $OpenBSD: pf.conf.5,v 1.488 2011/01/23 23:34:18 henning Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: January 20 2011 $
+.Dd $Mdocdate: January 23 2011 $
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -824,6 +824,16 @@ Redirections cannot reflect packets back through the interface they arrive
on, they can only be redirected to hosts connected to different interfaces
or to the firewall itself.
.Pp
+However packets may be redirected to hosts connected to the interface the
+packet arrived on by using redirection with NAT.
+For example:
+.Bd -literal -offset indent
+pass in on $int_if proto tcp from $int_net to $ext_if port 80 \e
+ rdr-to $server
+pass out on $int_if proto tcp to $server port 80 \e
+ received-on $int_if nat-to $int_if
+.Ed
+.Pp
Note that redirecting external incoming connections to the loopback address
will effectively allow an external host to connect to daemons
bound solely to the loopback address, circumventing the traditional