current-users: Usage of ipnat with 'rdr' command

Subject: Usage of ipnat with 'rdr' command
To: None <current-users@NetBSD.ORG, ipfilter@coombs.anu.edu.au>
From: Markus Kilbinger <kilbi@rad.rwth-aachen.de>
List: current-users
Date: 06/08/1997 12:06:42

Hi!

I tried to install a hidden telnet account behind a firewall using the
ipfilter packet of NetBSD-current (end of May). Installing the 'ipf'
stuff (blocking out all not telnet packages) works quite well, but the
redirection of the telnet connection through the firewall via 'rdr
...' doesnt work!?

Here my steps of using ipf/ipnat:

1. '/usr/sbin/sysctl -w net.inet.ip.forwarding=0'

2. 'ipf -E -Fa -f /etc/ipf.conf'

  ipf.conf:

    block in on ed1 all
    pass in on ed1 proto tcp from 134.130.10.113 to any
    block out on ed1 all
    pass out on ed1 proto tcp from any to 134.130.10.113 port = telnet
    block in on ed1 all with frag
    block in on ed1 proto tcp all with short

3. 'ipnat -f /etc/ipnat.conf'

  ipnat.conf:

    rdr ed0 0.0.0.0/0 port 7777 -> 134.130.10.113 port telnet

4. '/usr/sbin/sysctl -w net.inet.ip.forwarding=1'

My ether devs are:

ed0:
flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,LINK0,MULTICAST> \
      mtu 1500
        address: 00:00:c0:f1:5e:c8
        inet 192.11.100.155 netmask 0xffffff00 broadcast 192.11.100.255
ed1:
flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,LINK0,MULTICAST> \
      mtu 1500
        address: 00:00:c0:ac:c3:d3
        inet 134.130.10.116 netmask 0xffffff00 broadcast 134.130.10.255

When trying to 'telnet 192.11.100.155 7777' from the 'ed0' net (a
192.11.100.x machine) I can see an araising ipnat rule with 'ipmon'
and 'ipnat -l', but no working telnet connection to 134.130.11.113.

What's my mistake?

Markus.