In message <3B5B2A4B.26D13E5E@miltonstreet.com>, Sam Carleton writes:
> Cy Schubert - ITSD Open Systems Group wrote:
> 
> > In message <3B5B21E5.75FB8503@miltonstreet.com>, Sam Carleton writes:
> >
> > [ipf.conf  among other stuff edited out]
> > > ---------ipnat.conf---------
> > > map iy0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
> > > map iy0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
> > > map iy0 192.168.0.1/24 -> 0/32
> > >
> > > rdr iy0 0.0.0.0/32 port 22 -> 192.168.0.5 port 22
> > > rdr iy0 0.0.0.0/32 port 25 -> 192.168.0.5 port 25
> > > rdr iy0 0.0.0.0/32 port 80 -> 192.168.0.5 port 80
> > > rdr iy0 0.0.0.0/32 port 443 -> 192.168.0.5 port 443
> > > ---------ipnat.conf---------
> >
> > Your internal interface is tun0 and external interface is iy0.  Do I
> > understand this correctly?  If so, your map and rdr statements should
> > reference tun0 not iy0.
> 
> Ok, my mind is totally fried at this point.  iy0 is my outside NIC and ex0 is
> my inside NIC.  The three map commands seem to be working just fine
> considering the fact that I have been able to get and receive all these
> emails, and hit the web from 192.168.0.20.  I relay mail through 192.168.0.5
> and I know that is working because both you and I are getting my posting to
> the mailing list.  I also have a conversation going on using one of the chat
> programs, too.  But you are saying that it should read like this:
> 
> map ex0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
> map ex0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
> map ex0 192.168.0.1/24 -> 0/32
> 
> rdr ex0 0.0.0.0/32 port 22 -> 192.168.0.5 port 22
> rdr ex0 0.0.0.0/32 port 25 -> 192.168.0.5 port 25
> rdr ex0 0.0.0.0/32 port 80 -> 192.168.0.5 port 80
> rdr ex0 0.0.0.0/32 port 443 -> 192.168.0.5 port 443

No.  Your NAT rules should look like this:

map iy0 0/0            -> 0/32 proxy port ftp ftp/tcp
map iy0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
map iy0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
map iy0 192.168.0.1/24 -> 0/32

rdr iy0 0.0.0.0/0 port 22  -> 192.168.0.5 port 22 tcp
rdr iy0 0.0.0.0/0 port 25  -> 192.168.0.5 port 25 tcp
rdr iy0 0.0.0.0/0 port 80  -> 192.168.0.5 port 80 tcp
rdr iy0 0.0.0.0/0 port 443 -> 192.168.0.5 port 443 tcp

The first map rule proxies FTP from the NAT gateway itself.  If you're 
not going to initiate FTP sessions from the gateway, you can omit the 
rule.

Notice the rdr rules.  The difference is the netmask becomes 0 and a 
protocol is added.

> 
> > > Another question:  It is my understanding that when I get a new IP
> > > address for my ISP, I need to have NAT update itself.  What is the best
> > > way to do this considering the machine never disconnect?
> >
> > When the status of an interface changes you'll need resynchronise IPF
> > (ipf -y) or reload your rules (ipf -Fa -f ipf.conf).  Both are equally
> > effective, though ipf -y is the proper way to do it.
> 
> Ok, but how do I go about getting ipf -y to run whenever the machine gets a
> new IP address?

IIRC, you get your IP address through DHCP.  You would have to put the 
ipf -y command in your dhclient-script script.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC