===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/etc/pf.conf,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- src/etc/pf.conf	2002/12/21 03:02:40	1.11
+++ src/etc/pf.conf	2002/12/23 11:47:52	1.12
@@ -1,38 +1,50 @@
-#	$OpenBSD: pf.conf,v 1.11 2002/12/21 03:02:40 deraadt Exp $
+#	$OpenBSD: pf.conf,v 1.12 2002/12/23 11:47:52 henning Exp $
 #
-# See pf.conf(5) for syntax and examples
-# General order: options, scrub rules, NAT/rdr, and filter rules.
-# Note that NAT is first match while packet filters are last match,
+# See pf.conf(5) and /usr/share/pf for syntax and examples.
+# General order: options, scrub rules, translation rules, and filter rules.
+# Note that translation rules are first match while filter rules are last match.
 #
+# Macros: define common values, so they can be referenced and changed easily.
 ext_if="ext0"	# replace with actual external interface name i.e., dc0
 internal_net="10.1.1.1/8"
 external_addr="192.168.1.1"
 
-# Normalize: reassemble fragments and resolve or reduce traffic ambiguities
+# Options: tune the behavior of pf, default values are given.
+#set timeout { interval 30, frag 10 }
+#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
+#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90
+#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
+#set timeout { icmp.first 20, icmp.error 10 }
+#set timeout { other.first 60, other.single 30, other.multiple 60 }
+#set limit { states unlimited, frags 5000 }
+#set loginterface none
+#set optimization default
+#set block-policy drop
+#set require-order yes
+
+# Normalize: reassemble fragments and resolve or reduce traffic ambiguities.
 #scrub in all
 
-# nat: packets going out through $ext_if with source address $internal_net will get
-# translated as coming from $external_addr, a state is created for such packets,
-# and incoming packets will be redirected to the internal address.
-#nat on $ext_if from $internal_net to any -> $external_addr
+# nat: packets going out through $ext_if with source address $internal_net will
+# get translated as coming from the address of $ext_if, a state is created for
+# such packets, and incoming packets will be redirected to the internal address.
+#nat on $ext_if from $internal_net to any -> ($ext_if)
 
 # rdr: packets coming in on $ext_if with destination $external_addr:1234 will
 # be redirected to 10.1.1.1:5678. A state is created for such packets, and
 # outgoing packets will be translated as coming from the external address.
 #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
 
-# filter rules
-# the implicit first two rules are
+# anchor where spamd-setup(8) attaches spam-redirection to spamd(8).
+#no rdr on { lo0, lo1 } from any to any
+#rdr-anchor spamd inet proto tcp from any to any port = smtp
+
+# filter rules: the implicit first two rules are
 #pass in all
 #pass out all
 
 # block all incoming packets but allow ssh, pass all outgoing tcp and udp
-# connections and keep state, logging blocked packets
+# connections and keep state, logging blocked packets.
 #block in log all
 #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
 #pass  out on $ext_if proto { tcp, udp } all keep state
-
-
-# anchor where spamd-setup(8) attaches spam-redirection to spamd(8)
-#no rdr on { lo0, lo1 } from any to any
-#rdr-anchor spamd inet proto tcp from any to any port = smtp