Thanks to everybody for thier help. But I have a wierd problem left.
When I browse to my webserver, xxx.10, it's fine. When I try my cjb.net
redirection service from my LAN, I get "Connection could not be
established". But when I try it from work, it works fine. I want to be able
to check that the redirection works right, and if any firewall rules updates
work properly too. Or will this just never work?

Here's what I ended up up with, I didn't miss anything important, did I?...
*****Not counting what Manuel suggested, which I'll add tonight...
>> pass in quick on ppp0 proto tcp from any to 10.10.10.10/32 port = 80
>I think you also need:
> --- pass in quick on ppp0 proto tcp from any to any flags S/SA
>to allow outgoing connections to work.
>> block in quick all with short
>Should be 
> --- block in quick on ppp0  all with short
>otherwise you may block traffic on internal interfaces too.
*****

*****IPF.CONF*****
#!/sbin/ipf -f -
#
# Prevent IP spoofing.
pass in quick on ppp0 proto tcp from any to 10.10.10.10/32 port = 80
#
block in quick all with short
# Bruce
#block in quick all with ipopts
#
# drop shorts
block in quick all with short
#
# block bad traffic on ppp0 from private networks and throw it away
# we should never see any packets like this unless something is wrong
block in quick on ppp0 from 127.0.0.0/8 to any
block in quick on ppp0 from 10.0.0.0/8 to any
block in quick on ppp0 from 192.168.0.0/16 to any
block in quick on ppp0 from 172.16.0.0/12 to any
#
# block bad cookie bot traffic and throw it away
block in quick on ppp0 from 216.30.17.160/32 to any
block out quick on ppp0 from any to 216.30.17.160/32
#
# Provisionaly block all traffic comming from ppp0
block in on ppp0 from any to any
#
# don't block loopback device (I could move this somewhere else)
pass in quick on lo0 all
pass out quick on lo0 all
#
# Use keep state to allow replies to outbound traffic
pass out on ppp0 proto tcp/udp from any to any keep state
#
# Use keep state to allow replies to outbound icmp (from ping)
pass out on ppp0 proto icmp from any to any keep state
#

*****IPNAT.CONF*****
#!/sbin/ipnat -f -
#
# THIS IS WRITTEN FOR IP FILTER 3.2
#
# ex0 - (old ext.) connection to ISP, address 10.10.10.20/32
# ppp0- (new ext.) connection to SNET, DHCP address - 0/32
# ep0 - (internal) network interface, address 192.168.1.250/32
#
rdr ppp0 0/0 port 80 -> 10.10.10.10 port 80 tcp
rdr ppp0 0/0 port 80 -> 10.10.10.10 port 80 udp
#
map ppp0 10.10.10.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ppp0 10.10.10.0/24 -> 0/32
#
#To make ftp work, using the internal ftp proxy, use:
map ppp0 10.10.10.0/24 -> 0/32 proxy port ftp ftp/tcp
#

---   David A Woyciesjes
---   C & IS Support Specialist
---   Yale University Press
---   mailto:david.woyciesjes@yale.edu
---   (203) 432-0953
---   ICQ # - 905818


-> -----Original Message-----
-> From: David Woyciesjes 
-> Sent: Friday, October 20, 2000 3:02 PM
-> To: 'Mike Pelley'; David Woyciesjes
-> Cc: NetBSD Tech-Net
-> Subject: RE: IPNat, IPF, and webservers...
-> 
-> 
-> Yes, the firewall is set as the gateway. And thanks for the 
-> commands...
-> 
-> ---   David A Woyciesjes
-> ---   C & IS Support Specialist
-> ---   Yale University Press
-> ---   mailto:david.woyciesjes@yale.edu
-> ---   (203) 432-0953
-> ---   ICQ # - 905818
-> 
-> 
-> -> -----Original Message-----
-> -> From: Mike Pelley [mailto:mike@pelley.com]
-> -> Sent: Friday, October 20, 2000 2:46 PM
-> -> To: David Woyciesjes
-> -> Cc: NetBSD Tech-Net
-> -> Subject: Re: IPNat, IPF, and webservers...
-> -> 
-> -> 
-> -> I haven't looked at the stuff at dubbele.com but here are 
-> -> some thoughts.
-> -> 
-> -> > Now, all I want is to allow http (port 80) traffic thru 
-> to machine
-> -> > 10.10.10.10.
-> -> [stuff deleted]
-> -> > rdr ppp0 0/32 port 80 -> 10.10.10.10 port 80 tcp
-> -> 
-> -> One thing to check - the default gateway for 10.10.10.10 
-> -> must be the NetBSD
-> -> machine so ipnat can rewrite the reply packets.  I imagine 
-> -> you would have
-> -> set it that way but maybe not.
-> -> 
-> -> > BTW, aren't there command to renew the ipf and ipnat rules 
-> -> w/o rebooting?
-> -> 
-> -> To renew ipnat rules without disconnecting current sessions 
-> -> you can use
-> -> "ipnat -C -f /etc/ipnat.conf", and to renew ipfilter rules 
-> -> you can use
-> -> "ipf -Fa -f /etc/ipf.conf".
-> -> 
-> -> 
-> -> 
->