Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Document state policy flags for 'nat' and 'rdr' rules.

Browse Source
This commit is contained in:
dyoung 2007-05-10 23:03:22 +00:00
parent f7748bc6aa
commit e096ddfc8a
1 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
dist/pf/share/man/man5/pf.conf.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: pf.conf.5,v 1.10 2006/09/17 13:53:33 wiz Exp $ .\" $NetBSD: pf.conf.5,v 1.11 2007/05/10 23:03:22 dyoung Exp $
.\" $OpenBSD: pf.conf.5,v 1.326 2005/03/01 18:10:44 jmc Exp $ .\" $OpenBSD: pf.conf.5,v 1.326 2005/03/01 18:10:44 jmc Exp $
.\" .\"
.\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2002, Daniel Hartmeier
@ -1779,7 +1779,7 @@ single interface or a group of interfaces.
.Pp .Pp
The default policy is specified by the The default policy is specified by the
.Ar state-policy .Ar state-policy
global option, but this can be adjusted on a per-rule basis by adding one global option, but this can be adjusted on individual filter rules by adding one
of the of the
.Ar if-bound , .Ar if-bound ,
.Ar group-bound .Ar group-bound
@ -1796,6 +1796,22 @@ pass out on ppp from any to 10.12/16 keep state (group-bound)
A state created on ppp0 would match packets an all PPP interfaces, A state created on ppp0 would match packets an all PPP interfaces,
but not packets flowing through fxp0 or any other interface. but not packets flowing through fxp0 or any other interface.
.Pp .Pp
You can adjust the state policy on individual
.Ar nat
and
.Ar rdr
translation rules by adding a keyword
.Ar if-bound ,
.Ar group-bound
or
.Ar floating
at the end of the rule. For example, a rule such as this,
.Bd -literal -offset indent
nat on sip0 from 10/8 to ! 10/8 -> 192.168.1.4/32 if-bound
.Ed
.Pp
will create states that only match packets on sip0.
.Pp
Keeping rules Keeping rules
.Ar floating .Ar floating
is the more flexible option when the firewall is in a dynamic routing is the more flexible option when the firewall is in a dynamic routing
@ -2667,6 +2683,7 @@ nat-rule = [ "no" ] "nat" [ "pass" ] [ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
[ "->" ( redirhost | "{" redirhost-list "}" ) [ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] [ "static-port" ] ] [ portspec ] [ pooltype ] [ "static-port" ] ]
[ ( "if-bound" | "group-bound" | "floating" ) ]
binat-rule = [ "no" ] "binat" [ "pass" ] [ "on" interface-name ] binat-rule = [ "no" ] "binat" [ "pass" ] [ "on" interface-name ]
[ af ] [ "proto" ( proto-name | proto-number ) ] [ af ] [ "proto" ( proto-name | proto-number ) ]
@ -2678,6 +2695,7 @@ rdr-rule = [ "no" ] "rdr" [ "pass" ] [ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
[ "->" ( redirhost | "{" redirhost-list "}" ) [ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] ] [ portspec ] [ pooltype ] ]
[ ( "if-bound" | "group-bound" | "floating" ) ]
antispoof-rule = "antispoof" [ "log" ] [ "quick" ] antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
"for" ( interface-name | "{" interface-list "}" ) "for" ( interface-name | "{" interface-list "}" )