Download raw body.
www/faq/pf/nat.html: ambiguous examples for NAT configuration
At the very beginning of the "Configuring NAT" section at <https://www.openbsd.org/faq/pf/nat.html#config>, there's this general format for pf rules for NATing (uppercase syntactical variables and omitted optional parts by me): > match out on INTERFACE from SRC_ADDR to DST_ADDR nat-to EXT_ADDR > [...] > pass out on INTERFACE from EXT_ADDR to DST_ADDR Later, comes an actual example instantiating that general format: > match out on tl0 from 192.168.1.0/24 to any nat-to 198.51.100.1 > pass on tl0 from 192.168.1.0/24 to any Something does not match in the general format and the actual example: On the general format, the source address for the "match" rule is "from SRC_ADDR", and the source address for the "pass" rule is "from EXT_ADDR". On the actual example, the syntactical variables are instantiated as follows, in the "match" rule: - SRC_ADDR: "192.168.1.0/24" (address of the internal subnet) - DST_ADDR: "any" - EXT_ADDR: "198.51.100.1" (address of gateway's external interface, outside the internal subnet block). But the "pass" rule of the actual example uses "192.168.1.0/24" (SRC_ADDR), where, according to the general format, it should be "198.51.100.1" (EXT_ADDR) instead. Should the source address of the pass rule be that after address translation (as in the general format) or the original one before address translation (as in the actual example)? Is it the general format or the actual example which is correct? -- Lucas de Sena
www/faq/pf/nat.html: ambiguous examples for NAT configuration