On Fri, Dec 29, 2006 at 02:43:01PM -0500, Michael Gorsuch wrote:
> I'm trying to troubleshoot a few issues with my IPFiltar / NAT
> configuration over here, and am curious: at which point does that NAT
> translation take place?
> 
> Is it immediately before sending the packet out?
> 
> What about when you use 'bimap'?  When does the incoming packet get translated?

it is explained in /usr/share/examples/ipf/nat-setup:

Filtering with NAT.
-------------------
IP Filter will always translate addresses in a packet _BEFORE_ it checks its
access list for inbound packets and translates addresses _AFTER_ it has
checked the access control lists for outbound packets.

For example (using the above NAT rules), if you wanted to prevent all hosts
in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
with ipf:

block out on ppp0 from 10.1.2.0/24 to any
block in on ppp0 from any to 10.1.2.0/24

and use these with ipnat:

map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap