2010/4/30, Rod Whitworth <[email protected]>: > Quite often we have people wanting a home firewall and these folk are the > ones who will rarely do binat. > Besides that all the examples of NAT in the pf.conf > manpage and the upcoming pf FAQ use the match action without ever > explaining why. (I'll get onto Nick in another mail).
Agreed. I've read that the reason was quite large simplification of the pf code. > > ==== > Comments: > I found out early in testing a simple ruleset that I couldn't do simple > NAT without using a "pass out" construct so that state was maintained. > > Can somebody show me a useful ruleset using match to do an elementary > NAT to illustrate why it would be useful as opposed to a pass out rule? > I also think it would be nice to provide more commented examples *in the default* pf.conf. Rules for just basic NAT are quite carefully hidden in pf.conf(5) at somewhere about 85%, so why not just add something like: # simple NAT setting #match out inet from ($int_interface) to any nat-to ($out_interface) # simple redirection of port 80 through NAT to your web server #pass in proto tcp from any to ($out_interface) port 80 rdr-to $web_server Or something like so. It would also be helpful for those migrating from 4.6 to get the feeling of the new syntax. Regards, -- Martin PelikC!n, Steadynet gpg key 0x7176E4C9, http://cap.potazmo.cz/
