"Ease understanding" of how -punch_fw works.

Reviewed by: sheldonh
2000-06-29 09:52:14 +00:00 · 2000-06-29 09:52:14 +00:00 · 38b5153ff9
commit 38b5153ff9
parent 73c76eae03
1 changed files with 11 additions and 9 deletions
--- a/sbin/natd/natd.8
+++ b/sbin/natd/natd.8
@ -416,21 +416,23 @@ to inject the data into the beginning of the TCP stream.
 .It Fl punch_fw Xo
 .Ar basenumber Ns : Ns Ar count
 .Xc
-This option makes
+This option directs
 .Nm
-.Ql punch holes
+to
+.Dq punch holes
 in an
 .Xr ipfirewall 4
 based firewall for FTP/IRC DCC connections.
-The holes punched are bound by from/to IP address and port; it
-will not be possible to use a hole for another connection.
-A hole is removed when the connection that uses it dies.
+This is done dynamically by installing temporary firewall rules which
+allow a particular connection (and only that connection) to go through
+the firewall.
+The rules are removed once the corresponding connection terminates.
 .Pp
-Arguments
-.Ar basenumber
-and
+A maximum of
 .Ar count
-set the firewall range allocated for punching firewall holes.
+rules starting from the rule number
+.Ar basenumber
+will be used for punching firewall holes.
 The range will be cleared for all rules on startup.
 .El
 .Sh RUNNING NATD