Download raw body.
www/faq/pf/nat.html: ambiguous examples for NAT configuration
www/faq/pf/nat.html: ambiguous examples for NAT configuration
On 2026/07/01 00:55, Lucas de Sena wrote: > At the very beginning of the "Configuring NAT" section at > <https://www.openbsd.org/faq/pf/nat.html#config>, there's this This faq page is incorrect and needs rewriting. > general format for pf rules for NATing (uppercase syntactical > variables and omitted optional parts by me): > > > match out on INTERFACE from SRC_ADDR to DST_ADDR nat-to EXT_ADDR > > [...] > > pass out on INTERFACE from EXT_ADDR to DST_ADDR > > Later, comes an actual example instantiating that general format: > > > match out on tl0 from 192.168.1.0/24 to any nat-to 198.51.100.1 > > pass on tl0 from 192.168.1.0/24 to any > > Something does not match in the general format and the actual example: > > On the general format, the source address for the "match" rule is > "from SRC_ADDR", and the source address for the "pass" rule is > "from EXT_ADDR". > > On the actual example, the syntactical variables are instantiated as > follows, in the "match" rule: > - SRC_ADDR: "192.168.1.0/24" (address of the internal subnet) > - DST_ADDR: "any" > - EXT_ADDR: "198.51.100.1" (address of gateway's external interface, > outside the internal subnet block). > > But the "pass" rule of the actual example uses "192.168.1.0/24" > (SRC_ADDR), where, according to the general format, it should be > "198.51.100.1" (EXT_ADDR) instead. > > Should the source address of the pass rule be that after address > translation (as in the general format) or the original one before > address translation (as in the actual example)? > > Is it the general format or the actual example which is correct? > > -- > Lucas de Sena >
www/faq/pf/nat.html: ambiguous examples for NAT configuration
www/faq/pf/nat.html: ambiguous examples for NAT configuration