diff options
-rw-r--r-- | share/man/man5/pf.conf.5 | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index ea878e6458b..2f3c60786c0 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.58 2002/06/16 17:54:30 henning Exp $ +.\" $OpenBSD: pf.conf.5,v 1.59 2002/06/20 06:21:40 mpech Exp $ .\" .\" Copyright (c) 2001, Daniel Hartmeier .\" All rights reserved. @@ -219,7 +219,8 @@ or to the firewall itself. .It Em block The packet is blocked. Optionally, the filter can return a TCP RST or ICMP UNREACHABLE packet -to the sender, where applicable. Returning ICMP packets can have +to the sender, where applicable. +Returning ICMP packets can have an ICMP code set by number or name, TCP RST can have a TTL set. .It Em pass The packet is passed. @@ -230,12 +231,14 @@ IPv6 packets are not defragmented. .It Em binat A .Em binat -rule specifies a bidirectional mapping between an external IP address and an internal IP address. +rule specifies a bidirectional mapping between an external IP address +and an internal IP address. .It Em nat A .Em nat rule specifies that IP addresses are to be changed as the packet -traverses the given interface. This technique allows a single IP address +traverses the given interface. +This technique allows a single IP address on the translating host to support network traffic for a larger range of machines on an "inside" network. Although in theory any IP address can be used on the inside, it is strongly @@ -295,8 +298,8 @@ The .Sq no option is to a NAT rule what the .Sq quick -option is to a filter rule. This option causes matching packets -to remain untranslated. +option is to a filter rule. +This option causes matching packets to remain untranslated. .Sh ROUTING If a packet matches a rule with a route option set, the packet filter will route the packet according to the type of route option. @@ -640,14 +643,16 @@ each think that the other had somehow lost sync. .Pp Caveat: If the state table is flushed or the firewall is rebooted, currently modulated connections can not be continued or picked -up again by the firewall. State modulation causes the firewall to phase +up again by the firewall. +State modulation causes the firewall to phase shift the sequencing of each side of a connection .Po add a random number to each side. .Pc The sudden withdrawl of the modulation will appear to each side of the connection that its -peer has suddenly shifted its sequence by a random amount. Neither side +peer has suddenly shifted its sequence by a random amount. +Neither side will be able to recover and the connection will stall then eventually close. .Sh STATE OPTIONS Both "keep state" and "modulate state" support the following options: @@ -813,12 +818,12 @@ pass out on $ext_if proto tcp all modulate state # pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT) pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \\ - auth } keep state + auth } flags S/SA keep state # pass in data mode connections for ftp-proxy running on this host. # (see ftp-proxy(8) for details) -pass in on $ext_if proto tcp from any to 157.161.48.183 port >= 41952 \\ - keep state +pass in on $ext_if proto tcp from any to 157.161.48.183 port >= 41951 \\ + flags S/SA keep state .Ed .SH NAT EXAMPLES @@ -851,7 +856,8 @@ no nat on fxp1 proto ah from 144.19.74.0/24 to any nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100 .Ed .Pp -In the example below, fxp0 is the internal interface. Packets bound +In the example below, fxp0 is the internal interface. +Packets bound for one specific server, as well as those generated by the sysadmins are not proxied, all other connections are. .Bd -literal @@ -889,8 +895,6 @@ rdr on kue0 proto udp from any to (kue0) port 8080 -> 10.1.2.151 port 53 # translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8081 rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081 - - .Ed .Sh FILES .Bl -tag -width "/etc/pf.conf" -compact |