In message <3B5B21E5.75FB8503@miltonstreet.com>, Sam Carleton writes:
> Ok folks I simply do NOT understand this.  The firewall seems to be
> working fine.  Standard NAT (allowing my workstations out) seems to be
> working fine.  But I am completely unable to get NAT to redirect
> incoming requests.  This is what I am using:

[ipf.conf edited out]
> ---------ipnat.conf---------
> map iy0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
> map iy0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
> map iy0 192.168.0.1/24 -> 0/32
> 
> rdr iy0 0.0.0.0/32 port 22 -> 192.168.0.5 port 22
> rdr iy0 0.0.0.0/32 port 25 -> 192.168.0.5 port 25
> rdr iy0 0.0.0.0/32 port 80 -> 192.168.0.5 port 80
> rdr iy0 0.0.0.0/32 port 443 -> 192.168.0.5 port 443
> ---------ipnat.conf---------
> 
> If my understanding is correct, the NAT rules get applied before the
> packet goes through the IP FIlter.  These means that the rules I have
> allowing things into 192.168.0.1 will never be used, I simply had them
> there to make sure:)

Your internal interface is tun0 and external interface is iy0.  Do I 
understand this correctly?  If so, your map and rdr statements should 
reference tun0 not iy0.

> 
> Another question:  It is my understanding that when I get a new IP
> address for my ISP, I need to have NAT update itself.  What is the best
> way to do this considering the machine never disconnect?

When the status of an interface changes you'll need resynchronise IPF 
(ipf -y) or reload your rules (ipf -Fa -f ipf.conf).  Both are equally 
effective, though ipf -y is the proper way to do it.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC