OpenBSD manual page server

Manual Page Search Parameters

NAT.CONF(5)               OpenBSD Programmer's Manual              NAT.CONF(5)

     nat.conf - network address translation configuration file for packet fil-

     The rules file for network address translation specify which addresses
     are to be mapped and which are to be redirected.

     A nat rule specifies that IP addresses are to be changed as the packet
     traverses the given interface.  This technique of network address trans-
     lation (NAT) allows a single IP address on the translating host to sup-
     port network traffic for a larger range of machines on an inside network.
     Although in theory any IP address can be used on the inside, it is
     strongly recommended that one of the address ranges defined by RFC 1918
     be used.  These netblocks are:    - (all of net 10, i.e., 10/8)  - (i.e., 172.16/12) - (i.e., 192.168/16)

     A binat rule specifies a bidirectional map between an external IP address
     and an an internal IP address.

     An rdr rule specifies an incoming connection to be redirected to another
     host and optionally a different port.

     Note that all translation rules apply only to packets that pass through
     the specified interface.  For instance, redirecting port 80 on an exter-
     nal interface to an internal web server will only work for connections
     originating from the outside.  Connections to the address of the external
     interface from local hosts will not be redirected, since such packets do
     not actually pass through the external interface.  Redirections can't re-
     flect packets back through the interface they arrive on, they can only be
     redirected to hosts connected to different interfaces or to the firewall

     Also note that all translations of packets occur before the filter rules
     in pf.conf(5) are evaluated.  Hence, 'pass in' rules for redirected pack-
     ets should specify the address/port after translation.

     Syntax for filter rules in BNF:

     rule      = [ "no" ] ( nat_rule | binat_rule | rdr_rule ) .

     nat_rule  = "nat" "on" [ "!" ] ifname [ protospec ] "from" ipspec
                 "to" ipspec [ "->" address ] .

     binat_rule = "binat" "on" ifname [ protospec ] "from" address
                  "to" ipspec [ "->" address ] .

     rdr_rule  = "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec
                 "to" ipspec [ portspec ] [ "->" address [ portspec ] ] .

     protospec = "proto" ( number | "tcp" | "udp" | "icmp" ) .

     ipspec    = "any" | host .

     host      = [ "!" ] address [ "/" mask-bits ] .

     portspec  = "port" ( number | name ) [ ":" ( "*" | number | name ) ] .

     Comments begin with the character `#'; empty lines are ignored.  Rules
     are processed in the order read, one rule per line.  The first matching
     rule is applied.  Rules prefixed with "no" lead to no translation.  Such
     rules can be used to exclude certain connections from being translated.

     An ifname is a network interface such as fxp4, ne0, or ep1.  address can
     be specified in CIDR notation (matching a netblock), as symbolic host
     name or interface name.  Host name resolution and interface to address
     translation are done at rule set load-time.  When the address of an in-
     terface (or host name) changes (by DHCP or PPP, for instance), the rule
     set must be reloaded for the change to be reflected in the kernel.  See
     dhclient-script(8) or ppp(8) for information on how to automate this
     task.  If specified, mask-bits refers to the number of bits in the net-
     mask.  The negation character, `!', may be used before an ifname or an
     address. The protocol specification is optional.  If it is omitted, the
     rule applies to packets of all protocols.

     rdr rules can optionally specify port ranges instead of single ports.
     'rdr ... port 2000:2999 -> ... port 4000' redirects ports 2000 to 2999
     (including port 2000 and 2999) to the same port 4000.  'rdr ... port
     2000:2999 -> ... port 4000:*' redirects port 2000 to 4000, 2001 to 4001,
     ..., 2999 to 4999.

     This example maps incoming requests on port 80 to port 8080, on which
     Apache Tomcat is running (say Tomcat is not run as root, therefore lacks
     permission to bind to port 80).

     # map tomcat on 8080 to appear to be on 80
     rdr on ne3 proto tcp from any to any port 80 -> port 8080

     In the example below, vlan12 is configured for the; the ma-
     chine translates all packets coming from to when they are going out any interface except vlan12.  This
     has the net effect of making traffic from the network
     appear as though it is the Internet routeable address to
     nodes behind any interface on the router except for the nodes on vlan12.
     (Thus, can talk to the nodes.)

     nat on ! vlan12 from to any ->

     In the example below, fxp1 is the outside interface; the machine sits be-
     tween a fake internal 144.19.74.* network, and a routable external IP of  The "no nat" rule excludes protocol AH from being trans-

     no nat on fxp1 proto ah from to any
     nat on fxp1 from to any ->

     In the example below, fxp0 is the outside interface; a 1:1 bidirectional
     map is created between the private address and the routable
     external address  (Thus, incoming traffic to
     is mapped to the internal address

     binat on fxp0 from to any ->

     This longer example uses both a NAT and a redirection.  Interface kue0 is
     the outside interface, and its external address is  In-
     terface fxp0 is the inside interface, and we are running ftp-proxy(8)
     listening for outbound ftp sessions captured to port 8081.

     # NAT
     # translate outgoing packets' source addresses (any protocol)
     # in my case, any address but the gateway's external address is mapped
     nat on kue0 from ! to any ->

     # BINAT
     # translate outgoing packets' source address (any protocol)
     # translate incoming packets' destination address to an internal machine
     # (bidirectional)
     binat on kue0 from to any ->

     # RDR
     # translate incoming packets' destination addresses
     # as an example, redirect a TCP and UDP port to an internal machine
     # NOTE: the lines below are split for readability
     rdr on kue0 proto tcp from any to port 8080 \
             -> port 22
     rdr on kue0 proto udp from any to port 8080 \
             -> port 53

     # RDR
     # translate outgoing ftp control connections to send them to localhost
     # for proxying with ftp-proxy(8) running on port 8081
     rdr on fxp0 proto tcp from any to any port 21 -> port 8081


     pf(4), hosts(5), pf.conf(5), protocols(5), services(5), ftp-proxy(8),

     The nat.conf file format appeared in OpenBSD 3.0.

OpenBSD 3.1                      June 26, 2001                               3