Any that section (pf(4) NAT syntax change) it says: 8><-- nat on $ext_if from 10/8 -> ($ext_if) rdr on $ext_if to ($ext_if) -> 1.2.3.4 becomes match out on $ext_if from 10/8 nat-to ($ext_if) match in on $ext_if to ($ext_if) rdr-to 1.2.3.4 ----><8
Leaving out the redirects we can have a 4.6 pf.conf: #pf.conf for 4.6 simple NAT fw/router #skip the if macros for now nat on $ext_if from 10/8 -> ($ext_if) block on $ext_if pass out on $ext_if from ($ext_if:0) pass on $int_if #EOF Utterly just about the simplest pf.conf for 4.6 and we would all want more in there I'd say but it will do for the exercise. Yep, it won't pass traffic that was not NATted but NAT keeps state for the LAN hosts. Now take any old box with two NICs, bang 4.7 on it, apply the suggested change and then try it. Then come back and tell me why ALL the examples start with "match" ? (i.e. NAT in man pf.conf for 4.7) The latest pf.conf documentation is written by people who don't need documentation but, probably for the first time, they forgot that "compleat newbies" need docs that enable them to get things working if they RTveryFM. Uncorrected, I fear we will see lots of frustration from folk who have been told that there is the finest set of man pages around at OpenBSD. I have my lab setups working but I have the benefit of working with ipf, then pf since 2.something and I still scratched my head reading pf.conf(5), the upgrade47 doc and Henning's email (referred to in the upgrade doc). How about a ruleset like this (equally missing frills): # pf.conf for 4.7 block in on $ext_if pass out on $ext_if from ($ext_if:0) pass out on $ext_if from $lan_ip to any nat-to ($ext_if:0) pass on $int_if # EOF jmc said that we don't need a collection of pf.conf examples. Maybe not, but in the past there was a skeleton that worked if you uncommented the features you needed and did some minor editing in the macros. Have a look at 4.7's default. Not a mention of NAT anywhere. The commonest function required by a raw beginner doesn't show up but all the spamd and ftp-proxy stuff does (and that's fine), but no NAT. Crazy! Just by the way, the default pf.conf for 4.7 has a line that says: #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 I don't think that line is complete, is it? Regards, *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
