diff options
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man5/nat.conf.5 | 246 |
1 files changed, 0 insertions, 246 deletions
diff --git a/share/man/man5/nat.conf.5 b/share/man/man5/nat.conf.5 deleted file mode 100644 index 9533b0bf346..00000000000 --- a/share/man/man5/nat.conf.5 +++ /dev/null @@ -1,246 +0,0 @@ -.\" $OpenBSD: nat.conf.5,v 1.27 2002/06/11 02:12:37 dhartmei Exp $ -.\" -.\" Copyright (c) 2001 Ian Darwin. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd June 26, 2001 -.Dt NAT.CONF 5 -.Os -.Sh NAME -.Nm nat.conf -.Nd network address translation (NAT) configuration file for packet filtering -.Sh DESCRIPTION -The rules file for network address translation specify which addresses -are to be mapped and which are to be redirected. -.Pp -A -.Em nat -rule specifies that IP addresses are to be changed as the packet -traverses the given interface. -This technique of network address translation (NAT) allows a single -IP address on the translating host to support network traffic for a -larger range of machines on an inside network. -Although in theory any IP address can be used on the inside, it is strongly -recommended that one of the address ranges defined by RFC 1918 be used. -These netblocks are: -.Bd -literal -10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8) -172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) -192.168.0.0 - 192.168.255.255 (i.e., 192.168/16) -.Ed -.Pp -A -.Em binat -rule specifies a bidirectional map between an external IP address and an -an internal IP address. -.Pp -An -.Em rdr -rule specifies an incoming connection to be redirected -to another host and optionally a different port. -.Pp -Note that all translation rules apply only to packets that pass through -the specified interface. -For instance, redirecting port 80 on an external interface to an -internal web server will only work for connections originating from -the outside. -Connections to the address of the external interface from local hosts -will not be redirected, since such packets do not actually pass through -the external interface. -Redirections can't reflect packets back through the interface they -arrive on, they can only be redirected to hosts connected to different -interfaces or to the firewall itself. -.Pp -Also note that all translations of packets occur before the filter -rules in -.Xr pf.conf 5 -are evaluated. -Hence, 'pass in' rules for redirected packets should specify the -address/port after translation. -.Sh GRAMMAR -Syntax for filter rules in BNF: -.Bd -literal -rule = [ "no" ] ( nat_rule | binat_rule | rdr_rule ) . - -nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] hosts - [ "->" address [ portspec ] ] . - -binat_rule = "binat" "on" ifname [ protospec ] "from" address - "to" ipspec [ "->" address ] . - -rdr_rule = "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec - "to" ipspec [ portspec ] [ "->" address [ portspec ] ] . - -protospec = "proto" ( number | "tcp" | "udp" | "icmp" ) . - -ipspec = "any" | host | "{" host-list "}" . - -portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] . - -hosts = "all" | - "from" ( "any" | host | "{" host-list "}" ) [ port ] - "to" ( "any" | host | "{" host-list "}" ) [ port ] . - -host = [ "!" ] address [ "/" mask-bits ] . -address = ( interface-name | "(" interface-name ")" | host-name | - ipv4-dotted-quad | ipv6-coloned-hex ) . -host-list = host [ "," host-list ] . - -port = "port" ( unary-op | binary-op | "{" op-list "}" ) . -unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ] - ( name | number ) . -binary-op = number ( "<>" | "><" ) number . -op-list = ( unary-op | binary-op ) [ "," op-list ] . -.Ed -.Pp -Comments begin with the character `#'; empty lines are ignored. -Rules are processed in the order read, one rule per line. -The first matching rule is applied. -Rules prefixed with "no" lead to no translation. -Such rules can be used to exclude certain connections from being -translated. -.Pp -An -.Em ifname -is a network interface such as fxp4, ne0, or ep1. -.Em address -can be specified in CIDR notation (matching a netblock), as -symbolic host name or interface name. -Host name resolution and interface to address translation are done at rule -set load-time. -When the address of an interface (or host name) changes (by DHCP or PPP, -for instance), the rule set must be reloaded for the change to be reflected -in the kernel. -Interface names surrounded by parentheses cause an automatic update of -the rule whenever the referenced interface changes its address. -Reloading the rule set is not required in this case. -If specified, -.Em mask-bits -refers to the number of bits in the netmask. -The negation character, -.Sq ! , -may be used before an -.Em ifname -or an -.Em address . -The protocol specification is optional. -If it is omitted, the rule applies to packets of all protocols. -.Pp -.Em rdr -rules can optionally specify port ranges instead of single ports. -\'rdr ... port 2000:2999 -> ... port 4000\' redirects ports 2000 to 2999 -(including port 2000 and 2999) to the same port 4000. -\'rdr ... port 2000:2999 -> ... port 4000:*\' redirects port 2000 to 4000, -2001 to 4001, ..., 2999 to 4999. -.Sh EXAMPLES -This example maps incoming requests on port 80 to port 8080, on -which Apache Tomcat is running (say Tomcat is not run as root, -therefore lacks permission to bind to port 80). -.Bd -literal -# map tomcat on 8080 to appear to be on 80 -rdr on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080 -.Ed -.Pp -In the example below, vlan12 is configured for the 192.168.168.1; -the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111 -when they are going out any interface except vlan12. -This has the net effect of making traffic from the 192.168.168.0/24 -network appear as though it is the Internet routeable address -204.92.77.111 to nodes behind any interface on the router except -for the nodes on vlan12. -(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) -.Bd -literal -nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111 -.Ed -.Pp -In the example below, fxp1 is the outside interface; the machine sits between a -fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100. -The "no nat" rule excludes protocol AH from being translated. -.Bd -literal -no nat on fxp1 proto ah from 144.19.74.0/24 to any -nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100 -.Ed -.Pp -In the example below, fxp0 is the outside interface; a 1:1 -bidirectional map is created between the private address 192.168.1.5 -and the routable external address 204.92.77.113. -(Thus, incoming traffic to 204.92.77.113 is mapped to the internal -address 192.168.1.5.) -.Bd -literal -binat on fxp0 from 192.168.1.5 to any -> 204.92.77.113 -.Ed -.Pp -This longer example uses both a NAT and a redirection. -Interface kue0 is the outside interface, and its external address is -157.161.48.183. -Interface fxp0 is the inside interface, and we are running -.Xr ftp-proxy 8 -listening for outbound ftp sessions captured to port 8081. -.Bd -literal -# NAT -# translate outgoing packets' source addresses (any protocol) -# in my case, any address but the gateway's external address is mapped -# -nat on kue0 from ! (kue0) to any -> (kue0) - -# BINAT -# translate outgoing packets' source address (any protocol) -# translate incoming packets' destination address to an internal machine -# (bidirectional) -binat on kue0 from 10.1.2.150 to any -> (kue0) - -# RDR -# translate incoming packets' destination addresses -# as an example, redirect a TCP and UDP port to an internal machine -# NOTE: the lines below are split for readability -# -rdr on kue0 proto tcp from any to (kue0) port 8080 -> 10.1.2.151 port 22 -rdr on kue0 proto udp from any to (kue0) port 8080 -> 10.1.2.151 port 53 - -# RDR -# translate outgoing ftp control connections to send them to localhost -# for proxying with ftp-proxy(8) running on port 8081 -rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081 - -.Ed -.Sh FILES -.Bl -tag -width "/etc/nat.conf" -compact -.It Pa /etc/hosts -.It Pa /etc/nat.conf -.It Pa /etc/protocols -.It Pa /etc/services -.El -.Sh SEE ALSO -.Xr pf 4 , -.Xr hosts 5 , -.Xr pf.conf 5 , -.Xr protocols 5 , -.Xr services 5 , -.Xr ftp-proxy 8 , -.Xr pfctl 8 -.Sh HISTORY -The -.Nm -file format appeared in -.Ox 3.0 . |