1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
|
.\" $OpenBSD: nat.conf.5,v 1.27 2002/06/11 02:12:37 dhartmei Exp $
.\"
.\" Copyright (c) 2001 Ian Darwin. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote products
.\" derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd June 26, 2001
.Dt NAT.CONF 5
.Os
.Sh NAME
.Nm nat.conf
.Nd network address translation (NAT) configuration file for packet filtering
.Sh DESCRIPTION
The rules file for network address translation specify which addresses
are to be mapped and which are to be redirected.
.Pp
A
.Em nat
rule specifies that IP addresses are to be changed as the packet
traverses the given interface.
This technique of network address translation (NAT) allows a single
IP address on the translating host to support network traffic for a
larger range of machines on an inside network.
Although in theory any IP address can be used on the inside, it is strongly
recommended that one of the address ranges defined by RFC 1918 be used.
These netblocks are:
.Bd -literal
10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
.Ed
.Pp
A
.Em binat
rule specifies a bidirectional map between an external IP address and an
an internal IP address.
.Pp
An
.Em rdr
rule specifies an incoming connection to be redirected
to another host and optionally a different port.
.Pp
Note that all translation rules apply only to packets that pass through
the specified interface.
For instance, redirecting port 80 on an external interface to an
internal web server will only work for connections originating from
the outside.
Connections to the address of the external interface from local hosts
will not be redirected, since such packets do not actually pass through
the external interface.
Redirections can't reflect packets back through the interface they
arrive on, they can only be redirected to hosts connected to different
interfaces or to the firewall itself.
.Pp
Also note that all translations of packets occur before the filter
rules in
.Xr pf.conf 5
are evaluated.
Hence, 'pass in' rules for redirected packets should specify the
address/port after translation.
.Sh GRAMMAR
Syntax for filter rules in BNF:
.Bd -literal
rule = [ "no" ] ( nat_rule | binat_rule | rdr_rule ) .
nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] hosts
[ "->" address [ portspec ] ] .
binat_rule = "binat" "on" ifname [ protospec ] "from" address
"to" ipspec [ "->" address ] .
rdr_rule = "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec
"to" ipspec [ portspec ] [ "->" address [ portspec ] ] .
protospec = "proto" ( number | "tcp" | "udp" | "icmp" ) .
ipspec = "any" | host | "{" host-list "}" .
portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] .
hosts = "all" |
"from" ( "any" | host | "{" host-list "}" ) [ port ]
"to" ( "any" | host | "{" host-list "}" ) [ port ] .
host = [ "!" ] address [ "/" mask-bits ] .
address = ( interface-name | "(" interface-name ")" | host-name |
ipv4-dotted-quad | ipv6-coloned-hex ) .
host-list = host [ "," host-list ] .
port = "port" ( unary-op | binary-op | "{" op-list "}" ) .
unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
( name | number ) .
binary-op = number ( "<>" | "><" ) number .
op-list = ( unary-op | binary-op ) [ "," op-list ] .
.Ed
.Pp
Comments begin with the character `#'; empty lines are ignored.
Rules are processed in the order read, one rule per line.
The first matching rule is applied.
Rules prefixed with "no" lead to no translation.
Such rules can be used to exclude certain connections from being
translated.
.Pp
An
.Em ifname
is a network interface such as fxp4, ne0, or ep1.
.Em address
can be specified in CIDR notation (matching a netblock), as
symbolic host name or interface name.
Host name resolution and interface to address translation are done at rule
set load-time.
When the address of an interface (or host name) changes (by DHCP or PPP,
for instance), the rule set must be reloaded for the change to be reflected
in the kernel.
Interface names surrounded by parentheses cause an automatic update of
the rule whenever the referenced interface changes its address.
Reloading the rule set is not required in this case.
If specified,
.Em mask-bits
refers to the number of bits in the netmask.
The negation character,
.Sq ! ,
may be used before an
.Em ifname
or an
.Em address .
The protocol specification is optional.
If it is omitted, the rule applies to packets of all protocols.
.Pp
.Em rdr
rules can optionally specify port ranges instead of single ports.
\'rdr ... port 2000:2999 -> ... port 4000\' redirects ports 2000 to 2999
(including port 2000 and 2999) to the same port 4000.
\'rdr ... port 2000:2999 -> ... port 4000:*\' redirects port 2000 to 4000,
2001 to 4001, ..., 2999 to 4999.
.Sh EXAMPLES
This example maps incoming requests on port 80 to port 8080, on
which Apache Tomcat is running (say Tomcat is not run as root,
therefore lacks permission to bind to port 80).
.Bd -literal
# map tomcat on 8080 to appear to be on 80
rdr on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
.Ed
.Pp
In the example below, vlan12 is configured for the 192.168.168.1;
the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111
when they are going out any interface except vlan12.
This has the net effect of making traffic from the 192.168.168.0/24
network appear as though it is the Internet routeable address
204.92.77.111 to nodes behind any interface on the router except
for the nodes on vlan12.
(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.)
.Bd -literal
nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
.Ed
.Pp
In the example below, fxp1 is the outside interface; the machine sits between a
fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100.
The "no nat" rule excludes protocol AH from being translated.
.Bd -literal
no nat on fxp1 proto ah from 144.19.74.0/24 to any
nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100
.Ed
.Pp
In the example below, fxp0 is the outside interface; a 1:1
bidirectional map is created between the private address 192.168.1.5
and the routable external address 204.92.77.113.
(Thus, incoming traffic to 204.92.77.113 is mapped to the internal
address 192.168.1.5.)
.Bd -literal
binat on fxp0 from 192.168.1.5 to any -> 204.92.77.113
.Ed
.Pp
This longer example uses both a NAT and a redirection.
Interface kue0 is the outside interface, and its external address is
157.161.48.183.
Interface fxp0 is the inside interface, and we are running
.Xr ftp-proxy 8
listening for outbound ftp sessions captured to port 8081.
.Bd -literal
# NAT
# translate outgoing packets' source addresses (any protocol)
# in my case, any address but the gateway's external address is mapped
#
nat on kue0 from ! (kue0) to any -> (kue0)
# BINAT
# translate outgoing packets' source address (any protocol)
# translate incoming packets' destination address to an internal machine
# (bidirectional)
binat on kue0 from 10.1.2.150 to any -> (kue0)
# RDR
# translate incoming packets' destination addresses
# as an example, redirect a TCP and UDP port to an internal machine
# NOTE: the lines below are split for readability
#
rdr on kue0 proto tcp from any to (kue0) port 8080 -> 10.1.2.151 port 22
rdr on kue0 proto udp from any to (kue0) port 8080 -> 10.1.2.151 port 53
# RDR
# translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8081
rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
.Ed
.Sh FILES
.Bl -tag -width "/etc/nat.conf" -compact
.It Pa /etc/hosts
.It Pa /etc/nat.conf
.It Pa /etc/protocols
.It Pa /etc/services
.El
.Sh SEE ALSO
.Xr pf 4 ,
.Xr hosts 5 ,
.Xr pf.conf 5 ,
.Xr protocols 5 ,
.Xr services 5 ,
.Xr ftp-proxy 8 ,
.Xr pfctl 8
.Sh HISTORY
The
.Nm
file format appeared in
.Ox 3.0 .
|