Thread: help to make best PF rules and high performance
View Single Post
  #2   (View Single Post)  
Old 4th November 2011
J65nko J65nko is offline
Administrator
  
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,131
Default
From http://www.openbsd.org/faq/pf/nat.html#config

Quote:
NAT is specified as an optional nat-to parameter to an outbound pass rule. Often, rather than being set directly on the pass rule, a match rule is used. When a packet is selected by a match rule, parameters (e.g. nat-to) in that rule are remembered and are applied to the packet when a pass rule matching the packet is reached. This permits a whole class of packets to be handled by a single match rule and then specific decisions on whether to allow the traffic can be made with block and pass rules.

The general format in pf.conf looks something like this:

Code:
    match out on interface [af] \
       from src_addr to dst_addr \
       nat-to ext_addr [pool_type] [static-port]
    ...
    pass out [log] on interface [af] [proto protocol] \
       from ext_addr [port src_port] \
       to dst_addr [port dst_port]
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote