On Sat, 8 Nov 1997, Armen Babikyan wrote:
> what goes in /etc/ipf.conf? what other stuff? i'm quite confused what
> exactly "ipfilter" does. i just want ip masquerading on NetBSD. is
> "ipfilter" another name for this? "ipfilter" seems to do a lot of other

Hmmm, did you get the email I sent you? Here's a re-send

Date: Fri, 7 Nov 1997 22:25:26 -0600 (CST)
From: Dave Huang <khym@bga.com>
To: Armen Babikyan <armenb@moof.ai.mit.edu>
Subject: Re: ip-nat info?
In-Reply-To: <v03102802b0898f2b7a05@[206.40.164.208]>
Message-ID: <Pine.BSI.3.96.971107220925.4595A-100000@urchin.bga.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Fri, 7 Nov 1997, Armen Babikyan wrote:
> I'm looking for more information on the setuip of IP-NAT, or something that
> will let me use my NetBSD system as an IP gateway between my LAN and the
> real internet, if my LAN machines have fake IP's.
> 
> could anyone point me to any software, readme's, url's, etc. to check out?

If you're running 1.3ALPHA (or even 1.2G or thereabouts), the software
comes with the OS. Make sure the kernel you're using has IPFilter in it;
the GENERIC kernel does, if you're compiling your own, make sure the
config file has "pseudo-device ipfilter" in it. Then "cd /dev; sh MAKEDEV
ipl" to create the IP Filter devices. Look at the ipf and ipnat manpages,
and also http://coombs.anu.edu.au/~avalon/. Also, if you've got the
source, there are some sample configurations in
/usr/src/usr.sbin/ipf/rules. (You can also get those at
ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/usr.sbin/ipf/rules/)

I use the following ipnat rules:
map ppp0 10.1.1.64/28  -> 0.0.0.0/32  portmap tcp 1025:65000
map ppp0 10.1.1.64/28  -> 0.0.0.0/32

and the following ipf rules:
block out on ppp0 proto icmp from 10.1.1.64/28 to any icmp-type echo
block out on ppp0 proto udp from 10.1.1.64/28 to any

My local network is 10.1.1.64/28, and I use demand-dial PPP to my ISP, and
get a single dynamically assigned address. The ipnat mappings are pretty
standard, although I don't map UDP because I was having some trouble with
that, mainly with DNS queries. If one of the machines sent a DNS query
out, it would get the answer, but then ipnat would redirect all future DNS
replies to that machine, and DNS would work for anyone else. I think
there's a way to make UDP work though, but I haven't really been trying
real hard :)

The first ipf filter rule is mainly to stop pings from bringing up my ppp
connection. For some reason, my Windows NT machine wants to ping a couple
of web sites when I login... I have no idea why :)

The second ipf rule is to make sure I don't accidentally leak any other
UDP packets out (for the same reason that I'm not doing NAT with UDP).

And make sure you do an "ipf -E" to enable IP Filter, otherwise neither
ipf nor ipnat will work. You can do that by setting "ifpfilter=YES" in
/etc/rc.conf and creating an /etc/ipf.conf file. If you don't want any
ipfilter rules, you can just make an empty /etc/ipf.conf.

Hope this helps :)
--
Name: Dave Huang     |   Mammal, mammal / their names are called /
INet: khym@bga.com   |   they raise a paw / the bat, the cat /
FurryMUCK: Dahan     |   dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 22 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++