Using the information in:

http://mail-index.netbsd.org/port-i386/2001/10/22/0014.html

I'm able to switch our outbound web traffic to a high-speed
connection (alas with just 4 ip addresses, so I use NAT as
well), while keeping things like ssh, ftp, pop, etc on the
T1 with a /25.

At present, however, I don't seem to be able to get ipfilter
to keep stat, so I am forced to allow all in where srcport = 80.

Any ideas on how to craft an ipf.conf to change this?

I'm running on 1.6.2/i386 if this matters.

Our net looks like this:

	66.243.72.0/25 ---- ex1 | NetBSD 1.6.2	| ex0 (default) 66.147.189.118/30
				|ipFilter 3.4.29|
				|_______________| fxp0 70.88.113.225/29

/etc/ipnat.conf: 
map fxp0 66.243.72.0/25 -> 70.88.113.225/32 

/etc/ipf.conf:
block in on fxp0 all 
pass out on fxp0 all
pass out on fxp0 proto tcp/udp all keep state 
pass out on fxp0 proto icmp all keep state 
pass out quick on ex0 to fxp0:70.88.113.230 proto tcp from 66.243.72.0/25 to any port = 80
pass out quick on ex0 to fxp0:70.88.113.230 proto tcp from 66.243.72.0/25 to any port = 443
#
pass in on fxp0 proto tcp from any port = 80 to 66.243.72.0/24 
pass in on fxp0 proto tcp from any port = 80 to 70.88.113.224/28 
pass in on fxp0 proto tcp from any port = 443 to 66.243.72.0/24 
pass in on fxp0 proto tcp from any port = 443 to 70.88.113.224/28 

It's those last lines that concern me.  Without them, traffic doesn't flow back
even with that "pass out on fxp0 proto tcp/udp all keep state"

I've determined that it's the inbound filtering on fxp0 that whacks responses.
But I'd be happy if I could keep state on ex1 and filter them again there.

s/t like:

pass in on ex1 proto tcp from 66.243.72.0/25 port = 80 to any keep state
block out on ex1 proto tcp from any port = 80 to 66.243.72.0/25

I've tried that, but it seems that the switch to fxp0 stops then.

Any ideas would be welcome.  Even those that say, "give up and use pf." :)

Cheers!
-sam