Subject: Re: NAT & IPFilter
To: Sam Carleton <>
From: Cy Schubert - ITSD Open Systems Group <>
List: tech-security
Date: 07/22/2001 12:21:45
In message <>, Sam Carleton writes:
> Ok folks I simply do NOT understand this.  The firewall seems to be
> working fine.  Standard NAT (allowing my workstations out) seems to be
> working fine.  But I am completely unable to get NAT to redirect
> incoming requests.  This is what I am using:

[ipf.conf edited out]
> ---------ipnat.conf---------
> map iy0 -> 0/32 proxy port ftp ftp/tcp
> map iy0 -> 0/32 portmap tcp/udp 40000:60000
> map iy0 -> 0/32
> rdr iy0 port 22 -> port 22
> rdr iy0 port 25 -> port 25
> rdr iy0 port 80 -> port 80
> rdr iy0 port 443 -> port 443
> ---------ipnat.conf---------
> If my understanding is correct, the NAT rules get applied before the
> packet goes through the IP FIlter.  These means that the rules I have
> allowing things into will never be used, I simply had them
> there to make sure:)

Your internal interface is tun0 and external interface is iy0.  Do I 
understand this correctly?  If so, your map and rdr statements should 
reference tun0 not iy0.

> Another question:  It is my understanding that when I get a new IP
> address for my ISP, I need to have NAT update itself.  What is the best
> way to do this considering the machine never disconnect?

When the status of an interface changes you'll need resynchronise IPF 
(ipf -y) or reload your rules (ipf -Fa -f ipf.conf).  Both are equally 
effective, though ipf -y is the proper way to do it.

Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:
Open Systems Group, ITSD, ISTA
Province of BC