From 6d5248e03db1d7dcbf9dd437cbb90fe8aaeb4ad6 Mon Sep 17 00:00:00 2001
From: mlarkin <>
Date: Wed, 29 Nov 2017 00:15:34 +0000
Subject: [PATCH] Document NAT and DNS forwarding rules for vmd(8)

discussed at length with benno, beck, deraadt, and florian
---
 src/etc/examples/pf.conf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/etc/examples/pf.conf b/src/etc/examples/pf.conf
index 2dd043aa..39edf796 100644
--- a/src/etc/examples/pf.conf
+++ b/src/etc/examples/pf.conf
@@ -1,4 +1,4 @@
-#	$OpenBSD: pf.conf,v 1.2 2015/05/18 16:04:21 reyk Exp $
+#	$OpenBSD: pf.conf,v 1.3 2017/11/29 00:15:34 mlarkin Exp $
 #
 # See pf.conf(5) for syntax and examples.
 # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
@@ -31,5 +31,10 @@ pass		# establish keep-state
 
 #block in quick from urpf-failed to any	# use with care
 
+# rules for vmd(8) - NAT and DNS forwarding for VMs (100.64.0.0/10 default)
+#pass out on egress from 100.64.0.0/10 to any nat-to (egress)
+#pass in proto udp from 100.64.0.0/10 to any port domain \
+#    rdr-to $dns_server port domain
+
 # By default, do not permit remote connections to X11
 block return in on ! lo0 proto tcp to port 6000:6010