> If  I made a "ping ftp.netbsd.org" or "traceroute -i eth0
> ftp.netbsd.org" from other hosts (for instance Linux box) I
> get packages back (I can see the route to the host
> ftp.netbsd.org). But if  I try "ftp ftp.netbsd.org" no ftp
> - login appears or "lynx http://www.netbsd.org" lynx prompts
> only something like "... connected to http://www.netbsd.org ..."
> without displaying the webpages.

It sounds like you have ICMP but no TCP.  Is your netbsd box running NAT for
the machines behind it, or is it routing?  If you are running NAT, it's
likely that your NAT rules (/etc/ipnat.conf) is not 100%.  The following
rules are often a good start:

map de0 10.0.0.0/24  -> 209.236.3.54/32  proxy port ftp ftp/tcp
map de0 10.0.0.0/24  -> 209.236.3.54/32  portmap tcp/udp 10000:40000
map de0 10.0.0.0/24  -> 207.236.3.54/32

where de0 is your external interface (might be ppp0 for dialup),
209.236.3.54 is your external IP (might be 0.0.0.0/0 for dynamic ip), and
10.0.0.0/24 is your internal network #'s.  The first line proxies active ftp
(not required), the second allows tcp/udp to work nicely, and the third
enables everthing else.  If you left out the second line, the machines
behind the netbsd box may not be able to communicate to machines on the
internet via TCP/UDP - you need to portmap to allow multiple internal
machines to talk to the outside world on the same IP so their ports don't
overlap.

Good luck!

Mike.