summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
Diffstat (limited to 'share')
-rw-r--r--share/man/man5/nat.conf.5246
1 files changed, 0 insertions, 246 deletions
diff --git a/share/man/man5/nat.conf.5 b/share/man/man5/nat.conf.5
deleted file mode 100644
index 9533b0bf346..00000000000
--- a/share/man/man5/nat.conf.5
+++ /dev/null
@@ -1,246 +0,0 @@
-.\" $OpenBSD: nat.conf.5,v 1.27 2002/06/11 02:12:37 dhartmei Exp $
-.\"
-.\" Copyright (c) 2001 Ian Darwin. All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. The name of the author may not be used to endorse or promote products
-.\" derived from this software without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd June 26, 2001
-.Dt NAT.CONF 5
-.Os
-.Sh NAME
-.Nm nat.conf
-.Nd network address translation (NAT) configuration file for packet filtering
-.Sh DESCRIPTION
-The rules file for network address translation specify which addresses
-are to be mapped and which are to be redirected.
-.Pp
-A
-.Em nat
-rule specifies that IP addresses are to be changed as the packet
-traverses the given interface.
-This technique of network address translation (NAT) allows a single
-IP address on the translating host to support network traffic for a
-larger range of machines on an inside network.
-Although in theory any IP address can be used on the inside, it is strongly
-recommended that one of the address ranges defined by RFC 1918 be used.
-These netblocks are:
-.Bd -literal
-10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
-172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
-192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
-.Ed
-.Pp
-A
-.Em binat
-rule specifies a bidirectional map between an external IP address and an
-an internal IP address.
-.Pp
-An
-.Em rdr
-rule specifies an incoming connection to be redirected
-to another host and optionally a different port.
-.Pp
-Note that all translation rules apply only to packets that pass through
-the specified interface.
-For instance, redirecting port 80 on an external interface to an
-internal web server will only work for connections originating from
-the outside.
-Connections to the address of the external interface from local hosts
-will not be redirected, since such packets do not actually pass through
-the external interface.
-Redirections can't reflect packets back through the interface they
-arrive on, they can only be redirected to hosts connected to different
-interfaces or to the firewall itself.
-.Pp
-Also note that all translations of packets occur before the filter
-rules in
-.Xr pf.conf 5
-are evaluated.
-Hence, 'pass in' rules for redirected packets should specify the
-address/port after translation.
-.Sh GRAMMAR
-Syntax for filter rules in BNF:
-.Bd -literal
-rule = [ "no" ] ( nat_rule | binat_rule | rdr_rule ) .
-
-nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] hosts
- [ "->" address [ portspec ] ] .
-
-binat_rule = "binat" "on" ifname [ protospec ] "from" address
- "to" ipspec [ "->" address ] .
-
-rdr_rule = "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec
- "to" ipspec [ portspec ] [ "->" address [ portspec ] ] .
-
-protospec = "proto" ( number | "tcp" | "udp" | "icmp" ) .
-
-ipspec = "any" | host | "{" host-list "}" .
-
-portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] .
-
-hosts = "all" |
- "from" ( "any" | host | "{" host-list "}" ) [ port ]
- "to" ( "any" | host | "{" host-list "}" ) [ port ] .
-
-host = [ "!" ] address [ "/" mask-bits ] .
-address = ( interface-name | "(" interface-name ")" | host-name |
- ipv4-dotted-quad | ipv6-coloned-hex ) .
-host-list = host [ "," host-list ] .
-
-port = "port" ( unary-op | binary-op | "{" op-list "}" ) .
-unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
- ( name | number ) .
-binary-op = number ( "<>" | "><" ) number .
-op-list = ( unary-op | binary-op ) [ "," op-list ] .
-.Ed
-.Pp
-Comments begin with the character `#'; empty lines are ignored.
-Rules are processed in the order read, one rule per line.
-The first matching rule is applied.
-Rules prefixed with "no" lead to no translation.
-Such rules can be used to exclude certain connections from being
-translated.
-.Pp
-An
-.Em ifname
-is a network interface such as fxp4, ne0, or ep1.
-.Em address
-can be specified in CIDR notation (matching a netblock), as
-symbolic host name or interface name.
-Host name resolution and interface to address translation are done at rule
-set load-time.
-When the address of an interface (or host name) changes (by DHCP or PPP,
-for instance), the rule set must be reloaded for the change to be reflected
-in the kernel.
-Interface names surrounded by parentheses cause an automatic update of
-the rule whenever the referenced interface changes its address.
-Reloading the rule set is not required in this case.
-If specified,
-.Em mask-bits
-refers to the number of bits in the netmask.
-The negation character,
-.Sq ! ,
-may be used before an
-.Em ifname
-or an
-.Em address .
-The protocol specification is optional.
-If it is omitted, the rule applies to packets of all protocols.
-.Pp
-.Em rdr
-rules can optionally specify port ranges instead of single ports.
-\'rdr ... port 2000:2999 -> ... port 4000\' redirects ports 2000 to 2999
-(including port 2000 and 2999) to the same port 4000.
-\'rdr ... port 2000:2999 -> ... port 4000:*\' redirects port 2000 to 4000,
-2001 to 4001, ..., 2999 to 4999.
-.Sh EXAMPLES
-This example maps incoming requests on port 80 to port 8080, on
-which Apache Tomcat is running (say Tomcat is not run as root,
-therefore lacks permission to bind to port 80).
-.Bd -literal
-# map tomcat on 8080 to appear to be on 80
-rdr on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
-.Ed
-.Pp
-In the example below, vlan12 is configured for the 192.168.168.1;
-the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111
-when they are going out any interface except vlan12.
-This has the net effect of making traffic from the 192.168.168.0/24
-network appear as though it is the Internet routeable address
-204.92.77.111 to nodes behind any interface on the router except
-for the nodes on vlan12.
-(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.)
-.Bd -literal
-nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
-.Ed
-.Pp
-In the example below, fxp1 is the outside interface; the machine sits between a
-fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100.
-The "no nat" rule excludes protocol AH from being translated.
-.Bd -literal
-no nat on fxp1 proto ah from 144.19.74.0/24 to any
-nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100
-.Ed
-.Pp
-In the example below, fxp0 is the outside interface; a 1:1
-bidirectional map is created between the private address 192.168.1.5
-and the routable external address 204.92.77.113.
-(Thus, incoming traffic to 204.92.77.113 is mapped to the internal
-address 192.168.1.5.)
-.Bd -literal
-binat on fxp0 from 192.168.1.5 to any -> 204.92.77.113
-.Ed
-.Pp
-This longer example uses both a NAT and a redirection.
-Interface kue0 is the outside interface, and its external address is
-157.161.48.183.
-Interface fxp0 is the inside interface, and we are running
-.Xr ftp-proxy 8
-listening for outbound ftp sessions captured to port 8081.
-.Bd -literal
-# NAT
-# translate outgoing packets' source addresses (any protocol)
-# in my case, any address but the gateway's external address is mapped
-#
-nat on kue0 from ! (kue0) to any -> (kue0)
-
-# BINAT
-# translate outgoing packets' source address (any protocol)
-# translate incoming packets' destination address to an internal machine
-# (bidirectional)
-binat on kue0 from 10.1.2.150 to any -> (kue0)
-
-# RDR
-# translate incoming packets' destination addresses
-# as an example, redirect a TCP and UDP port to an internal machine
-# NOTE: the lines below are split for readability
-#
-rdr on kue0 proto tcp from any to (kue0) port 8080 -> 10.1.2.151 port 22
-rdr on kue0 proto udp from any to (kue0) port 8080 -> 10.1.2.151 port 53
-
-# RDR
-# translate outgoing ftp control connections to send them to localhost
-# for proxying with ftp-proxy(8) running on port 8081
-rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
-
-.Ed
-.Sh FILES
-.Bl -tag -width "/etc/nat.conf" -compact
-.It Pa /etc/hosts
-.It Pa /etc/nat.conf
-.It Pa /etc/protocols
-.It Pa /etc/services
-.El
-.Sh SEE ALSO
-.Xr pf 4 ,
-.Xr hosts 5 ,
-.Xr pf.conf 5 ,
-.Xr protocols 5 ,
-.Xr services 5 ,
-.Xr ftp-proxy 8 ,
-.Xr pfctl 8
-.Sh HISTORY
-The
-.Nm
-file format appeared in
-.Ox 3.0 .