On Thu, 2007-07-05 at 08:08 -0700, Darren Reed wrote:
> I think it might help if you were able to do an ascii diagram
> of how the network is constructed and point out where you
> want the traffic to go, which box is running NetBSD, etc.
> 
Thank you to all who helped me (and those who might have wanted to).

It turns out to be as trivial as I wanted it, although it will probably
still be years before I really get my mind around packet filtering etc.

In summary:

# cat /etc/ipf.conf
pass in all
pass out all
pass out quick on fxp1 to ex0:192.168.4.129 proto tcp from any to any \
port = 80
pass out quick on fxp1 to ex0:192.168.4.129 proto tcp from any to any \
port = 443

(excuse the poor formatting - evolution doesn't have an intuitively
obvious place where to change the line length).

# cat /etc/ipnat.conf
map ex0 196.30.44.148/32 -> 0/32 portmap tcp 10000:20000

eventually did the trick.  I had tried "block" instead of "pass" because
I thought I had to prevent the packets from leaving on the wrong
interface (go figure!) and I misunderstood the role played by the target
IP address in the "to" clause altogether.

The NAT "map" also came in late (I misguidedly tried "rdr" at first).

Lots of little mistakes in just a very few lines.  But now it works
better than adequately.  I won't be able to run a web server on this
host, but I think I can cope with that :-)

Again, thanks everyone, specially the various developers of very sound
and reliable software.

++L