Olli wrote:
> 
> I have a question. If I need IP-NAT I also have to enable
> IP-Filtering?

That's right.
> For IPF on NetBSD-1.3.2 I have to recompile the kernel (options IPF)?

I'm not 100% sure, but GENERIC already comes with:

pseudo-device   ipfilter                # IP filter (firewall) and NAT

but optionally for ipmon to work, you need

options        IPFILTER_LOG    # ipmon(8) log support

and again optionally, if you want ipf to block everything until explicit
allow rules take effect:

options         IPFILTER_DEFAULT_BLOCK

The above is true for -current. I can't remember for 1.3.2!

> A config-file is necessary :
> 
> # /etc/ipf.conf
> block out on ppp0 from 192.168.1.0/24 to any
> block in on ppp0 from any to 192.168.1.0/24

That's for those rules to come into effect automatically on boot, with
the relevant ipfilter=YES or whatever in rc.conf

> MY this be right?

Yes.

Cheers,

Patrick