Paul B Dokas wrote:
> 
...
> But, I've now got a block of IP addresses (8 to be exact) and I've got
> to make a few changes.  With 8 addresses, I've got 5 usable for machines,
> one of which gets assigned to the firewall, leaving 4 more.  This is where
> it gets sticky.
> 
> I've got to map these spare IP addresses to *internal* machines such that
> the firewall will allow *bi*directional traffic.  That is, packets created
> at an internal machine go through the firewall and always appear as if they
> came from the same machine.  And in-bound packets from the Internet, need
> to be passed through the firewall and aways get routed to the same internal
> machine.

In other words these 5 ip addresses are real, so why bother with ipnat?
Will something like
  pass in quick on outside_iface from any to realip/mask_for_block
as an ipf filter rule with similar for outbound do? And maybe see what
"fastroute" does? As you can see, I'm not very good at this business either!

Cheers,

Patrick