Changeset View
Changeset View
Standalone View
Standalone View
share/man/man5/pf.conf.5
| Show All 21 Lines | |||||
| .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, | ||||
| .\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | .\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||||
| .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | ||||
| .\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN | ||||
| .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||||
| .\" POSSIBILITY OF SUCH DAMAGE. | .\" POSSIBILITY OF SUCH DAMAGE. | ||||
| .\" | .\" | ||||
| .Dd April 22, 2025 | .Dd April 27, 2025 | ||||
kp: Don't forget to bump the date when you commit. | |||||
| .Dt PF.CONF 5 | .Dt PF.CONF 5 | ||||
| .Os | .Os | ||||
| .Sh NAME | .Sh NAME | ||||
| .Nm pf.conf | .Nm pf.conf | ||||
| .Nd packet filter configuration file | .Nd packet filter configuration file | ||||
| .Sh DESCRIPTION | .Sh DESCRIPTION | ||||
| The | The | ||||
| .Xr pf 4 | .Xr pf 4 | ||||
| ▲ Show 20 Lines • Show All 1,289 Lines • ▼ Show 20 Lines | |||||
| If the rule does not specify a direction the first packet to create state will | If the rule does not specify a direction the first packet to create state will | ||||
| be shaped according to the first number, and the response traffic according to | be shaped according to the first number, and the response traffic according to | ||||
| the second. | the second. | ||||
| .Pp | .Pp | ||||
| If the | If the | ||||
| .Xr dummynet 4 | .Xr dummynet 4 | ||||
| module is not loaded any traffic sent into a queue or pipe will be dropped. | module is not loaded any traffic sent into a queue or pipe will be dropped. | ||||
| .Sh TRANSLATION | .Sh TRANSLATION | ||||
| Translation rules modify either the source or destination address of the | Translation options modify either the source or destination address and | ||||
| packets associated with a stateful connection. | port of the packets associated with a stateful connection. | ||||
| A stateful connection is automatically created to track packets matching | .Xr pf 4 | ||||
| such a rule as long as they are not blocked by the filtering section of | modifies the specified address and/or port in the packet and recalculates | ||||
| .Nm pf.conf . | IP, TCP, and UDP checksums as necessary. | ||||
| The translation engine modifies the specified address and/or port in the | |||||
| packet, recalculates IP, TCP and UDP checksums as necessary, and passes | |||||
| it to the packet filter for evaluation. | |||||
| .Pp | .Pp | ||||
| Since translation occurs before filtering the filter | If specified on a | ||||
| engine will see packets as they look after any | .Ic match | ||||
| addresses and ports have been translated. | rule, subsequent rules will see packets as they look | ||||
| Filter rules will therefore have to filter based on the translated | after any addresses and ports have been translated. | ||||
| These rules will therefore have to filter based on the translated | |||||
| address and port number. | address and port number. | ||||
| Packets that match a translation rule are only automatically passed if | |||||
| the | |||||
| .Ar pass | |||||
| modifier is given, otherwise they are | |||||
| still subject to | |||||
| .Ar block | |||||
| and | |||||
| .Ar pass | |||||
| rules. | |||||
| .Pp | .Pp | ||||
| The state entry created permits | The state entry created permits | ||||
| .Xr pf 4 | .Xr pf 4 | ||||
| to keep track of the original address for traffic associated with that state | to keep track of the original address for traffic associated with that state | ||||
| and correctly direct return traffic for that connection. | and correctly direct return traffic for that connection. | ||||
| .Pp | .Pp | ||||
| Various types of translation are possible with pf: | Various types of translation are possible with pf: | ||||
| .Bl -tag -width xxxx | .Bl -tag -width xxxx | ||||
| ▲ Show 20 Lines • Show All 46 Lines • ▼ Show 20 Lines | |||||
| The destination IPv4 address is assumed to be embedded inside the | The destination IPv4 address is assumed to be embedded inside the | ||||
| original IPv6 destination address, e.g. 64:ff9b::c633:6464 will be | original IPv6 destination address, e.g. 64:ff9b::c633:6464 will be | ||||
| translated to 198.51.100.100. | translated to 198.51.100.100. | ||||
| .Pp | .Pp | ||||
| The current implementation will only extract IPv4 addresses from the | The current implementation will only extract IPv4 addresses from the | ||||
| IPv6 addresses with a prefix length of /96 and greater. | IPv6 addresses with a prefix length of /96 and greater. | ||||
| .It Ar binat | .It Ar binat | ||||
| A | A | ||||
| .Ar binat | .Ar binat-to | ||||
| rule specifies a bidirectional mapping between an external IP netblock | rule specifies a bidirectional mapping between an external IP netblock | ||||
| and an internal IP netblock. | and an internal IP netblock. | ||||
| .It Ar nat | It expands to an outbound | ||||
| .Ar nat-to | |||||
| rule and an inbound | |||||
| .Ar rdr-to | |||||
| rule. | |||||
| .It Ar nat-to | |||||
| A | A | ||||
| .Ar nat | .Ar nat-to | ||||
| rule specifies that IP addresses are to be changed as the packet | option specifies that IP addresses are to be changed as the packet | ||||
| traverses the given interface. | traverses the given interface. | ||||
| This technique allows one or more IP addresses | This technique allows one or more IP addresses | ||||
| on the translating host to support network traffic for a larger range of | on the translating host to support network traffic for a larger range of | ||||
| machines on an "inside" network. | machines on an "inside" network. | ||||
| Although in theory any IP address can be used on the inside, it is strongly | Although in theory any IP address can be used on the inside, it is strongly | ||||
| recommended that one of the address ranges defined by RFC 1918 be used. | recommended that one of the address ranges defined by RFC 1918 be used. | ||||
| These netblocks are: | These netblocks are: | ||||
| .Bd -literal | .Bd -literal -offset indent | ||||
| 10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8) | 10.0.0.0 - 10.255.255.255 (all of net 10.0.0.0, i.e., 10.0.0.0/8) | ||||
| 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) | 172.16.0.0 - 172.31.255.255 (i.e., 172.16.0.0/12) | ||||
| 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16) | 192.168.0.0 - 192.168.255.255 (i.e., 192.168.0.0/16) | ||||
| .Ed | .Ed | ||||
| .It Pa rdr | .Pp | ||||
| .Ar nat-to | |||||
| is usually applied outbound. | |||||
| If applied inbound, nat-to to a local IP address is not supported. | |||||
| .It Pa rdr-to | |||||
| The packet is redirected to another destination and possibly a | The packet is redirected to another destination and possibly a | ||||
| different port. | different port. | ||||
| .Ar rdr | .Ar rdr-to | ||||
| rules can optionally specify port ranges instead of single ports. | can optionally specify port ranges instead of single ports. | ||||
| rdr ... port 2000:2999 -> ... port 4000 | For instance: | ||||
| .Bd -literal -offset indent | |||||
| match in ... port 2000:2999 rdr-to ... port 4000 | |||||
| .Ed | |||||
| redirects ports 2000 to 2999 (inclusive) to port 4000. | redirects ports 2000 to 2999 (inclusive) to port 4000. | ||||
| rdr ... port 2000:2999 -> ... port 4000:* | .Bd -literal -offset indent | ||||
| qmatch in ... port 2000:2999 rdr-to ... port 4000:* | |||||
| .Ed | |||||
| redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. | redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. | ||||
| .El | .El | ||||
| .Pp | .Pp | ||||
| .Ar rdr-to | |||||
| is usually applied inbound. | |||||
| If applied outbound, rdr-to to a local IP address is not supported. | |||||
| In addition to modifying the address, some translation rules may modify | In addition to modifying the address, some translation rules may modify | ||||
| source or destination ports for | source or destination ports for | ||||
| .Xr tcp 4 | .Xr tcp 4 | ||||
| or | or | ||||
| .Xr udp 4 | .Xr udp 4 | ||||
| connections; implicitly in the case of | connections; implicitly in the case of | ||||
| .Ar nat | .Ar nat-to | ||||
| rules and both implicitly and explicitly in the case of | options and both implicitly and explicitly in the case of | ||||
| .Ar rdr | .Ar rdr-to | ||||
| rules. | ones. | ||||
| A | A | ||||
| .Ar rdr | .Ar rdr-to | ||||
| rule may cause the source port to be modified if doing so avoids a conflict | opion may cause the source port to be modified if doing so avoids a conflict | ||||
| with an existing connection. | with an existing connection. | ||||
| A random source port in the range 50001-65535 is chosen in this case; to | A random source port in the range 50001-65535 is chosen in this case; to | ||||
| avoid excessive CPU consumption, the number of searches for a free port is | avoid excessive CPU consumption, the number of searches for a free port is | ||||
| limited by the | limited by the | ||||
| .Va net.pf.rdr_srcport_rewrite_tries | .Va net.pf.rdqr_srcport_rewrite_tries | ||||
| sysctl. | sysctl. | ||||
| Port numbers are never translated with a | Port numbers are never translated with a | ||||
| .Ar binat | .Ar binat-to | ||||
| rule. | option. | ||||
| .Pp | .Pp | ||||
| Note that redirecting external incoming connections to the loopback | |||||
| address, as in | |||||
| .Bd -literal -offset indent | |||||
| pass in on egress proto tcp from any to any port smtp \e | |||||
| rdr-to 127.0.0.1 port spamd | |||||
| .Ed | |||||
| .Pp | |||||
| will effectively allow an external host to connect to daemons | |||||
| bound solely to the loopback address, circumventing the traditional | |||||
| blocking of such connections on a real interface. | |||||
| Unless this effect is desired, any of the local non-loopback addresses | |||||
| should be used as redirection target instead, which allows external | |||||
| connections only to daemons bound to this address or not bound to | |||||
| any address. | |||||
| .Pp | |||||
| See | |||||
| .Sx TRANSLATION EXAMPLES | |||||
| below. | |||||
| .Ss NAT ruleset (pre-FreeBSD 15) | |||||
| In order to maintain compatibility with older releases of FreeBSD | |||||
| .Ar NAT | |||||
| rules can also be specified in their own ruleset. | |||||
| A stateful connection is automatically created to track packets matching | |||||
| such a rule as long as they are not blocked by the filtering section of | |||||
| .Nm pf.conf . | |||||
| Since translation occurs before filtering the filter | |||||
| engine will see packets as they look after any | |||||
Done Inline Actionsloqok typo. kp: `loqok` typo. | |||||
| addresses and ports have been translated. | |||||
| Filter rules will therefore have to filter based on the translated | |||||
| address and port number. | |||||
| Packets that match a translation rule are only automatically passed if | |||||
| the | |||||
| .Ar pass | |||||
| modifier is given, otherwise they are | |||||
| still subject to | |||||
| .Ar block | |||||
| and | |||||
| .Ar pass | |||||
| rules. | |||||
| .Pp | |||||
| The following rules can be defined in the NAT ruleset: | |||||
| .Ar binat , | |||||
| .Ar nat , | |||||
| and | |||||
| .Ar rdr . | |||||
| They have the same effect as | |||||
| .Ar binat-to , | |||||
| .Ar nat-to | |||||
| and | |||||
| .Ar rdr-to | |||||
| options for filter rules. | |||||
| .Pp | |||||
| The | |||||
| .Ar no | |||||
| option prefixed to a translation rule causes packets to remain untranslated, | |||||
| much in the same way as | |||||
| .Ar drop quick | |||||
| works in the packet filter. | |||||
| If no rule matches the packet it is passed to the filter engine unmodified. | |||||
| .Pp | |||||
| Evaluation order of the translation rules is dependent on the type | Evaluation order of the translation rules is dependent on the type | ||||
| of the translation rules and of the direction of a packet. | of the translation rules and of the direction of a packet. | ||||
| .Ar binat | .Ar binat | ||||
| rules are always evaluated first. | rules are always evaluated first. | ||||
| Then either the | Then either the | ||||
| .Ar rdr | .Ar rdr | ||||
| rules are evaluated on an inbound packet or the | rules are evaluated on an inbound packet or the | ||||
| .Ar nat | .Ar nat | ||||
| rules on an outbound packet. | rules on an outbound packet. | ||||
| Rules of the same type are evaluated in the same order in which they | Rules of the same type are evaluated in the same order in which they | ||||
| appear in the ruleset. | appear in the ruleset. | ||||
| The first matching rule decides what action is taken. | The first matching rule decides what action is taken. | ||||
| .Pp | .Pp | ||||
| The | |||||
| .Ar no | |||||
| option prefixed to a translation rule causes packets to remain untranslated, | |||||
| much in the same way as | |||||
| .Ar drop quick | |||||
| works in the packet filter (see below). | |||||
| If no rule matches the packet it is passed to the filter engine unmodified. | |||||
| .Pp | |||||
| Translation rules apply only to packets that pass through | Translation rules apply only to packets that pass through | ||||
| the specified interface, and if no interface is specified, | the specified interface, and if no interface is specified, | ||||
| translation is applied to packets on all interfaces. | translation is applied to packets on all interfaces. | ||||
| For instance, redirecting port 80 on an external interface to an internal | For instance, redirecting port 80 on an external interface to an internal | ||||
| web server will only work for connections originating from the outside. | web server will only work for connections originating from the outside. | ||||
| Connections to the address of the external interface from local hosts will | Connections to the address of the external interface from local hosts will | ||||
| not be redirected, since such packets do not actually pass through the | not be redirected, since such packets do not actually pass through the | ||||
| external interface. | external interface. | ||||
| Redirections cannot reflect packets back through the interface they arrive | Redirections cannot reflect packets back through the interface they arrive | ||||
| on, they can only be redirected to hosts connected to different interfaces | on, they can only be redirected to hosts connected to different interfaces | ||||
| or to the firewall itself. | or to the firewall itself. | ||||
| .Pp | .Pp | ||||
| Note that redirecting external incoming connections to the loopback | |||||
| address, as in | |||||
| .Bd -literal -offset indent | |||||
| rdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd | |||||
| .Ed | |||||
| .Pp | |||||
| will effectively allow an external host to connect to daemons | |||||
| bound solely to the loopback address, circumventing the traditional | |||||
| blocking of such connections on a real interface. | |||||
| Unless this effect is desired, any of the local non-loopback addresses | |||||
| should be used as redirection target instead, which allows external | |||||
| connections only to daemons bound to this address or not bound to | |||||
| any address. | |||||
| .Pp | |||||
| See | See | ||||
| .Sx TRANSLATION EXAMPLES | .Sx COMPATIBILITY TRANSLATION EXAMPLES | ||||
| below. | below. | ||||
| .Sh PACKET FILTERING | .Sh PACKET FILTERING | ||||
| .Xr pf 4 | .Xr pf 4 | ||||
| has the ability to | has the ability to | ||||
| .Ar block | .Ar block | ||||
| , | , | ||||
| .Ar pass | .Ar pass | ||||
| and | and | ||||
| ▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Lines | |||||
| rules differ from | rules differ from | ||||
| .Ar block | .Ar block | ||||
| and | and | ||||
| .Ar pass | .Ar pass | ||||
| rules in that parameters are set for every rule a packet matches, not only | rules in that parameters are set for every rule a packet matches, not only | ||||
| on the last matching rule. | on the last matching rule. | ||||
| For the following parameters, this means that the parameter effectively becomes | For the following parameters, this means that the parameter effectively becomes | ||||
| "sticky" until explicitly overridden: | "sticky" until explicitly overridden: | ||||
| .Ar nat-to , | |||||
| .Ar binat-to , | |||||
| .Ar rdr-to , | |||||
| .Ar queue , | .Ar queue , | ||||
| .Ar dnpipe , | .Ar dnpipe , | ||||
| .Ar dnqueue , | .Ar dnqueue , | ||||
| .Ar rtable , | .Ar rtable , | ||||
| .Ar scrub | .Ar scrub | ||||
| . | . | ||||
| .It Ar pass | .It Ar pass | ||||
| The packet is passed; | The packet is passed; | ||||
| ▲ Show 20 Lines • Show All 406 Lines • ▼ Show 20 Lines | |||||
| .Ar flags any . | .Ar flags any . | ||||
| This will cause | This will cause | ||||
| .Xr pf 4 | .Xr pf 4 | ||||
| to synchronize to existing connections, for instance | to synchronize to existing connections, for instance | ||||
| if one flushes the state table. | if one flushes the state table. | ||||
| However, states created from such intermediate packets may be missing | However, states created from such intermediate packets may be missing | ||||
| connection details such as the TCP window scaling factor. | connection details such as the TCP window scaling factor. | ||||
| States which modify the packet flow, such as those affected by | States which modify the packet flow, such as those affected by | ||||
| .Ar af-to, | .Ar af-to , | ||||
| .Ar nat, | .Ar nat , | ||||
| .Ar binat or | .Ar binat or | ||||
| .Ar rdr | .Ar rdr | ||||
| rules, | rules, | ||||
| .Ar modulate No or Ar synproxy state | .Ar modulate No or Ar synproxy state | ||||
| options, or scrubbed with | options, or scrubbed with | ||||
| .Ar reassemble tcp | .Ar reassemble tcp | ||||
| will also not be recoverable from intermediate packets. | will also not be recoverable from intermediate packets. | ||||
| Such connections will stall and time out. | Such connections will stall and time out. | ||||
| ▲ Show 20 Lines • Show All 996 Lines • ▼ Show 20 Lines | |||||
| connections. | connections. | ||||
| It can match ports, track state and NAT SCTP traffic. | It can match ports, track state and NAT SCTP traffic. | ||||
| However, it will not alter port numbers during nat or rdr translations. | However, it will not alter port numbers during nat or rdr translations. | ||||
| Doing so would break SCTP multihoming. | Doing so would break SCTP multihoming. | ||||
| .Sh TRANSLATION EXAMPLES | .Sh TRANSLATION EXAMPLES | ||||
| This example maps incoming requests on port 80 to port 8080, on | This example maps incoming requests on port 80 to port 8080, on | ||||
| which a daemon is running (because, for example, it is not run as root, | which a daemon is running (because, for example, it is not run as root, | ||||
| and therefore lacks permission to bind to port 80). | and therefore lacks permission to bind to port 80). | ||||
| .Bd -literal | .Bd -literal -offset indent | ||||
| # use a macro for the interface name, so it can be changed easily | # use a macro for the interface name, so it can be changed easily | ||||
| ext_if = \&"ne3\&" | ext_if = \&"ne3\&" | ||||
| # map daemon on 8080 to appear to be on 80 | # map daemon on 8080 to appear to be on 80 | ||||
| rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080 | match in on $ext_if proto tcp from any to any port 80 \e | ||||
| rdr-to 127.0.0.1 port 8080 | |||||
| .Ed | .Ed | ||||
| .Pp | .Pp | ||||
| If the | If a | ||||
| .Ar pass | .Ar pass | ||||
| modifier is given, packets matching the translation rule are passed without | rule is used with the | ||||
| inspecting the filter rules: | .Ar quick | ||||
| .Bd -literal | modifier, packets matching the translation rule are passed without | ||||
| rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e | inspecting subsequent filter rules: | ||||
| port 8080 | .Bd -literal -offset indent | ||||
| pass in quick on $ext_if proto tcp from any to any port 80 \e | |||||
| rdr-to 127.0.0.1 port 8080 | |||||
| .Ed | .Ed | ||||
| .Pp | .Pp | ||||
| In the example below, vlan12 is configured as 192.168.168.1; | In the example below, vlan12 is configured as 192.168.168.1; | ||||
| the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111 | the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111 | ||||
| when they are going out any interface except vlan12. | when they are going out any interface except vlan12. | ||||
| This has the net effect of making traffic from the 192.168.168.0/24 | This has the net effect of making traffic from the 192.168.168.0/24 | ||||
| network appear as though it is the Internet routable address | network appear as though it is the Internet routable address | ||||
| 204.92.77.111 to nodes behind any interface on the router except | 204.92.77.111 to nodes behind any interface on the router except | ||||
| for the nodes on vlan12. | for the nodes on vlan12. | ||||
| (Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) | (Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) | ||||
| .Bd -literal | .Bd -literal -offset indent | ||||
| nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111 | match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111 | ||||
| .Ed | .Ed | ||||
| .Pp | .Pp | ||||
| In the example below, the machine sits between a fake internal 144.19.74.* | |||||
| network, and a routable external IP of 204.92.77.100. | |||||
| The | |||||
| .Ar no nat | |||||
| rule excludes protocol AH from being translated. | |||||
| .Bd -literal | |||||
| # NO NAT | |||||
| no nat on $ext_if proto ah from 144.19.74.0/24 to any | |||||
| nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100 | |||||
| .Ed | |||||
| .Pp | |||||
| In the example below, packets bound for one specific server, as well as those | |||||
| generated by the sysadmins are not proxied; all other connections are. | |||||
| .Bd -literal | |||||
| # NO RDR | |||||
| no rdr on $int_if proto { tcp, udp } from any to $server port 80 | |||||
| no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 | |||||
| rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e | |||||
| port 80 | |||||
| .Ed | |||||
| .Pp | |||||
| This longer example uses both a NAT and a redirection. | This longer example uses both a NAT and a redirection. | ||||
| The external interface has the address 157.161.48.183. | The external interface has the address 157.161.48.183. | ||||
| On localhost, we are running | On localhost, we are running | ||||
| .Xr ftp-proxy 8 , | .Xr ftp-proxy 8 , | ||||
| waiting for FTP sessions to be redirected to it. | waiting for FTP sessions to be redirected to it. | ||||
| The three mandatory anchors for | The three mandatory anchors for | ||||
| .Xr ftp-proxy 8 | .Xr ftp-proxy 8 | ||||
| are omitted from this example; see the | are omitted from this example; see the | ||||
| .Xr ftp-proxy 8 | .Xr ftp-proxy 8 | ||||
| manpage. | manpage. | ||||
| .Bd -literal | .Bd -literal -offset indent | ||||
| # NAT | # NAT | ||||
| # Translate outgoing packets' source addresses (any protocol). | # Translate outgoing packets' source addresses (any protocol). | ||||
| # In this case, any address but the gateway's external address is mapped. | # In this case, any address but the gateway's external address is mapped. | ||||
| nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) | pass out on $ext_if inet from ! ($ext_if) to any nat-to ($ext_if) | ||||
| # NAT PROXYING | # NAT PROXYING | ||||
| # Map outgoing packets' source port to an assigned proxy port instead of | # Map outgoing packets' source port to an assigned proxy port instead of | ||||
| # an arbitrary port. | # an arbitrary port. | ||||
| # In this case, proxy outgoing isakmp with port 500 on the gateway. | # In this case, proxy outgoing isakmp with port 500 on the gateway. | ||||
| nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e | pass out on $ext_if inet proto udp from any port = isakmp to any \e | ||||
| port 500 | nat-to ($ext_if) port 500 | ||||
| # BINAT | # BINAT | ||||
| # Translate outgoing packets' source address (any protocol). | # Translate outgoing packets' source address (any protocol). | ||||
| # Translate incoming packets' destination address to an internal machine | # Translate incoming packets' destination address to an internal machine | ||||
| # (bidirectional). | # (bidirectional). | ||||
| binat on $ext_if from 10.1.2.150 to any -> $ext_if | pass on $ext_if from 10.1.2.150 to any binat-to $ext_if | ||||
| # Translate packets arriving on $peer_if addressed to 172.22.16.0/20 | # Translate packets arriving on $peer_if addressed to 172.22.16.0/20 | ||||
| # to the corresponding address in 172.21.16.0/20 (bidirectional). | # to the corresponding address in 172.21.16.0/20 (bidirectional). | ||||
| binat on $peer_if from 172.21.16.0/20 to any -> 172.22.16.0/20 | pass on $peer_if from 172.21.16.0/20 to any binat-to 172.22.16.0/20 | ||||
| # RDR | # RDR | ||||
| # Translate incoming packets' destination addresses. | # Translate incoming packets' destination addresses. | ||||
| # As an example, redirect a TCP and UDP port to an internal machine. | # As an example, redirect a TCP and UDP port to an internal machine. | ||||
| rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e | pass in on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e | ||||
| -> 10.1.2.151 port 22 | rdr-to 10.1.2.151 port 22 | ||||
| rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e | pass in on $ext_if inet proto udp from any to ($ext_if) port 8080 \e | ||||
| -> 10.1.2.151 port 53 | rdr-to 10.1.2.151 port 53 | ||||
| # RDR | # RDR | ||||
| # Translate outgoing ftp control connections to send them to localhost | # Translate outgoing ftp control connections to send them to localhost | ||||
| # for proxying with ftp-proxy(8) running on port 8021. | # for proxying with ftp-proxy(8) running on port 8021. | ||||
| rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 | pass in on $int_if proto tcp from any to any port 21 \e | ||||
| rdr-to 127.0.0.1 port 8021 | |||||
| .Ed | .Ed | ||||
| .Pp | .Pp | ||||
| In this example, a NAT gateway is set up to translate internal addresses | In this example, a NAT gateway is set up to translate internal addresses | ||||
| using a pool of public addresses (192.0.2.16/28) and to redirect | using a pool of public addresses (192.0.2.16/28) and to redirect | ||||
| incoming web server connections to a group of web servers on the internal | incoming web server connections to a group of web servers on the internal | ||||
| network. | network. | ||||
| .Bd -literal | .Bd -literal -offset indent | ||||
| # NAT LOAD BALANCE | # NAT LOAD BALANCE | ||||
| # Translate outgoing packets' source addresses using an address pool. | # Translate outgoing packets' source addresses using an address pool. | ||||
| # A given source address is always translated to the same pool address by | # A given source address is always translated to the same pool address by | ||||
| # using the source-hash keyword. | # using the source-hash keyword. | ||||
| nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash | pass out on $ext_if inet from any to any nat-to 192.0.2.16/28 source-hash | ||||
| # RDR ROUND ROBIN | # RDR ROUND ROBIN | ||||
| # Translate incoming web server connections to a group of web servers on | # Translate incoming web server connections to a group of web servers on | ||||
| # the internal network. | # the internal network. | ||||
| rdr on $ext_if proto tcp from any to any port 80 \e | pass in on $ext_if proto tcp from any to any port 80 \e | ||||
| -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin | rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin | ||||
| .Ed | .Ed | ||||
| .Sh COMPATIBILITY TRANSLATION EXAMPLES | |||||
| In the example below, the machine sits between a fake internal 144.19.74.* | |||||
| network, and a routable external IP of 204.92.77.100. | |||||
| The | |||||
| .Ar no nat | |||||
| rule excludes protocol AH from being translated. | |||||
| .Bd -literal -offset indent | |||||
| # NAT | |||||
| no nat on $ext_if proto ah from 144.19.74.0/24 to any | |||||
| nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100 | |||||
| .Ed | |||||
| .Pp | |||||
| In the example below, packets bound for one specific server, as well as those | |||||
| generated by the sysadmins are not proxied; all other connections are. | |||||
| .Bd -literal -offset indent | |||||
| # RDR | |||||
| no rdr on $int_if proto { tcp, udp } from any to $server port 80 | |||||
| no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 | |||||
| rdr on $int_if proto { tcp, udp } from any to any port 80 \e | |||||
| -> 127.0.0.1 port 80 | |||||
| .Ed | |||||
| .Sh FILTER EXAMPLES | .Sh FILTER EXAMPLES | ||||
| .Bd -literal | .Bd -literal -offset indent | ||||
| # The external interface is kue0 | # The external interface is kue0 | ||||
| # (157.161.48.183, the only routable address) | # (157.161.48.183, the only routable address) | ||||
| # and the private network is 10.0.0.0/8, for which we are doing NAT. | # and the private network is 10.0.0.0/8, for which we are doing NAT. | ||||
| # Reassemble incoming traffic | # Reassemble incoming traffic | ||||
| set reassemble yes | set reassemble yes | ||||
| # use a macro for the interface name, so it can be changed easily | # use a macro for the interface name, so it can be changed easily | ||||
| ▲ Show 20 Lines • Show All 372 Lines • Show Last 20 Lines | |||||
Don't forget to bump the date when you commit.