Added new option (-punch_fw) which allows to `punch holes'

in the ipfirewall(4) for incoming FTP/IRC DCC connections.

Submitted by:	Rene de Vries <rene@canyon.demon.nl>
Rewritten by:	ru

1 files changed, 20 insertions, 0 deletions

diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8
index a0d56e5..60cf31c 100644
--- a/sbin/natd/natd.8
+++ b/sbin/natd/natd.8
@@ -29,6 +29,7 @@
 .Op Fl config | f Ar configfile
 .Op Fl log_denied
 .Op Fl log_facility Ar facility_name
+.Op Fl punch_fw Ar firewall_range
 .Sh DESCRIPTION
 This program provides a Network Address Translation facility for use
 with
@@ -412,6 +413,25 @@ Use
 to put this information into the IP option field or
 .Ar encode_tcp_stream
 to inject the data into the beginning of the TCP stream.
+.It Fl punch_fw Xo
+.Ar basenumber Ns : Ns Ar count
+.Xc
+This option makes
+.Nm
+.Ql punch holes
+in an
+.Xr ipfirewall 4
+based firewall for FTP/IRC DCC connections.
+The holes punched are bound by from/to IP address and port; it
+will not be possible to use a hole for another connection.
+A hole is removed when the connection that uses it dies.
+.Pp
+Arguments
+.Ar basenumber
+and
+.Ar count
+set the firewall range allocated for punching firewall holes.
+The range will be cleared for all rules on startup.
 .El
 .Sh RUNNING NATD
 The following steps are necessary before attempting to run