by redmail.netbsd.org with SMTP; 27 Sep 1999 04:10:26 -0000
Message-Id: <199909270410.OAA07519@zen.quick.com.au>
 via SMTP by localhost, id smtpd07348a; Sun Sep 26 21:09:55 1999
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
cc: "Simon J. Gerraty" <sjg@quick.com.au>, tech-security@netbsd.org
Subject: Re: ipfilter question / vulnerability? 
In-reply-to: Your message of "Sun, 26 Sep 99 23:40:31 -0400."
             <19990926234031.A477@acheron.middleboro.ma.us> 
Date: Mon, 27 Sep 1999 14:09:55 +1000
From: "Simon J. Gerraty" <sjg@quick.com.au>

> > I'm _not_ using NAT, but I'm not use it should matter.
> > I have the following in my ipf.cfg:
> 
> Hm... I assume that you've got static IP, then?

Yes, though provided you have two interfaces (I have ep0 and ppp0) I'm
not sure it should matter.

If you are trying to do it with a single ethernet interface then yes
that is hard.  

I've actually setup some "interesting" NAT boxes where we want to NAT
inbound traffic rather than out-bound.  Essentially doing the
equivalent of  TIS fwtk's plug-gw in the kernel.  This rather pushed
ipfilter, and is a little ugly - needing to map the box's real IP to
itself, but does work.  This was all using a single ethernet.

--sjg