tech-net: ipnat.conf problem

Subject: ipnat.conf problem
To: None <tech-net@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: tech-net
Date: 11/11/2004 14:57:10

A problem with ipnat.conf on any NetBSD version.

This setup completely screw FTP (it seems active FTP will work a bit
while passive FTP won't work at all):
map pppoe0 192.168.x.0/24 -> 0/32 proxy port ftp ftp/tcp
map pppoe0 192.168.x.0/24 -> 0/32 portmap tcp/udp 40000:60000
map pppoe0 192.168.x.0/24 -> 0/32

This is the correct setup:
map pppoe0 192.168.x.0/24 -> 0/32 portmap tcp/udp 40000:60000
map pppoe0 192.168.x.0/24 -> 0/32 proxy port ftp ftp/tcp
map pppoe0 192.168.x.0/24 -> 0/32

The importance of rule ordering does not seem to be documented, and it
is not trivial to guess why the second setup is right and the first is
wrong. I personnaly can't understand what makes the first setup wrong.

Can someone explain me why ordering is important here? Why isn't this
documented? Could it be fixed so that ordering wouldn't matter?

--=20
Emmanuel Dreyfus
Un bouquin en fran=E7ais sur BSD:
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@netbsd.org