From f685a909b59c80d99dc4fd65f24f7778b06e557b Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@FreeBSD.org>
Date: Thu, 29 Jun 2000 09:52:14 +0000
Subject: [PATCH] "Ease understanding" of how -punch_fw works.

Reviewed by:	sheldonh
---
 sbin/natd/natd.8 | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8
index 60cf31c058c0..81d418a0ba54 100644
--- a/sbin/natd/natd.8
+++ b/sbin/natd/natd.8
@@ -416,21 +416,23 @@ to inject the data into the beginning of the TCP stream.
 .It Fl punch_fw Xo
 .Ar basenumber Ns : Ns Ar count
 .Xc
-This option makes
+This option directs
 .Nm
-.Ql punch holes
+to
+.Dq punch holes
 in an
 .Xr ipfirewall 4
 based firewall for FTP/IRC DCC connections.
-The holes punched are bound by from/to IP address and port; it
-will not be possible to use a hole for another connection.
-A hole is removed when the connection that uses it dies.
+This is done dynamically by installing temporary firewall rules which
+allow a particular connection (and only that connection) to go through
+the firewall.
+The rules are removed once the corresponding connection terminates.
 .Pp
-Arguments
-.Ar basenumber
-and
+A maximum of
 .Ar count
-set the firewall range allocated for punching firewall holes.
+rules starting from the rule number
+.Ar basenumber
+will be used for punching firewall holes.
 The range will be cleared for all rules on startup.
 .El
 .Sh RUNNING NATD