On Tue, 3 Aug 1999, Paul B Dokas wrote:
> 
>                                 The Internet
>                                      |
>                                      |
>                                +============+
>                                | ADSL Modem |
>                                +============+
>                                      |
>                                      |
>                                      |
>                                      |A.B.C.D
>                                 +====+=====+
>                                 | Firewall |
>                                 +====+=====+
>                                      |10.0.0.254
>                                      |
>                                      |
>     ---------------------------------+
>        |            |           |
>        |            |           |
>        |10.0.0.1    |10.0.0.2   |10.0.0.3
>     +=====+      +=====+     +=====+
>     |  A  |      |  B  |     |  C  |
>     +=====+      +=====+     +=====+
> 
> 
> That is, I've got a Firewall with 2 NICS attached to a cable modem.  The
> external NIC has a static IP and the internal has a non-routable IP.
> There are many machines on the internal LAN, I've simply shown only
> 3.
> 
> And this works just fine.  As each host makes outbound connects, they
> get mapped to the firewall's IP address.  The filtering rules are also
> very adequate for my needs (only allow a few outbound ports, like www,
> ftp, ssh, icmp and don't allow *any* inbound traffic that doesn't have
> a matching "keep state").
> 
> 
> But, I've now got a block of IP addresses (8 to be exact) and I've got
> to make a few changes.  With 8 addresses, I've got 5 usable for machines,
> one of which gets assigned to the firewall, leaving 4 more.  This is where
> it gets sticky.
> 
> I've got to map these spare IP addresses to *internal* machines such that
> the firewall will allow *bi*directional traffic.  That is, packets created
> at an internal machine go through the firewall and always appear as if they
> came from the same machine.  And in-bound packets from the Internet, need
> to be passed through the firewall and aways get routed to the same internal
> machine.
> 
> Basically, a few machines need to be mapped to static external IP addresses
> and allow inbound traffic.  In essence, they need to both "map" and "rdr" at
> the same time.
> 
> 
> Just in case you're wondering, I plan to set up highly selective filters at
> the firewall so that these statically mapped internal machines will only talk
> to a very few select computers on the Internet.  And then only a few ports on
> each internal machine will be visible.  Yea, yea, I know, "Yuck!".
> Unfortunately, I don't have a choice. :-(   I would create VPNish tunnels to
> accomplish this, but that's also not an option.
> 
> 
> Now, as I said earlier, I've rtfm'd everything that I could find.  About the
> only small lead that I've seen is a reference to the undocumented ipnat
> keyword called "bimap" (section 3.3 in http://www.swcp.com/~synk/ipf-howto.txt)
> which looks hopeful.


To follow up my own posting.  I believe that I've found the answer (although
I haven't had a chance to test it out).  After reading the IP-Filter
email list archive (http://false.net/ipfilter/) and searching for all
references to "bimap", it definitely appears to be the answer that I'm looking
for.

My ipnat.conf should be something like this:

bimap ep0 10.0.0.1/32 -> A.B.C.E/32 
map   ep0 10.0.0.0/29 -> A.B.C.D/32 portmap tcp/udp 10000:40000 
map   ep0 10.0.0.0/29 -> A.B.C.D/32

This will create a one-to-one mapping between A.B.C.E and machine 10.0.0.1 and
leave all of the other machines to NAT as usual.

Then I should be able to create ipf rules to highly restrict access to
the bimap'd machines based on their external address.

Paul
--
Paul Dokas                                            dokas@cs.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."