Thread: Need Help setting up NAT (pf.conf)
View Single Post
  #9   (View Single Post)  
Old 22nd October 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
  
Join Date: May 2008
Location: USA
Posts: 7,984
Default
Start with the word "egress". You can see it appear in your ifconfig output for vr0:
Code:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0d:b9:1c:96:80
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::20d:b9ff:fe1c:9680%vr0 prefixlen 64 scopeid 0x1
        inet 192.168.1.103 netmask 0xffffff00 broadcast 192.168.1.255
The ifconfig man page says:
Code:
     group group-name
                     Assign the interface to a ``group''.  Any interface can
                     be in multiple groups.

                     For instance, such a group could be used to create a
                     hardware independent pf(4) ruleset (i.e. not one based on
                     the names of NICs) using existing (egress, carp, etc.) or
                     user-defined groups.

                     Some interfaces belong to specific groups by default:

                     -       All interfaces are members of the all interface
                             group.
                     -       Cloned interfaces are members of their interface
                             family group.  For example, a PPP interface such
                             as ppp0 is a member of the ppp interface family
                             group.
                     -       The interface(s) the default route(s) point to
                             are members of the egress interface group.
                     -       IEEE 802.11 wireless interfaces are members of
                             the wlan interface group.
                     -       Any interfaces used for network booting are
                             members of the netboot interface group.
The PF User's Guide chapter on Network Address Translation describes the use of !, () and of :0. I will not quote the entire chapter, just the relevant discussions. For src_addr, the use of !:
Quote:
Any of the above but negated using the ! ("not") modifier.
The use of ():
Quote:
The name of the external network interface in parentheses ( ). This tells PF to update the rule if the IP address(es) on the named interface changes. This is highly useful when the external interface gets its IP address via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes.
And lastly, :0 appended to an interface:
Quote:
...the :0 modifier can be appended to either an interface name or to any of the above modifiers to indicate that PF should not include aliased IP addresses in the substitution.
Well, what do you know? The official documentation answered your questions.
Reply With Quote