I've been looking at ipfilter, wondering if it can do this:

I've a private segment, connected via a NetBSD machine to a public
segment.  NAT has been configured, everything is dandy.  Private segment
gets NAT'ed, gets to the public segment, everything is smiles.

Now, I have a server which sits on the private segment (due to lack of IP
space).  This server, however, only serves web traffic.  I'd like to
redirect one port of my public server (say, port 8080) to port 80 on
the private server.  In this way, I'm kind of hoping to inverse NAT for
_only one port_ (i.e. mapping many public hosts to one private address).

Using the rdr keyword seems that only the dest address is rewritten, so
the syn gets redirected.  The ack, however, doesn't, so the address is
rdr'ed coming in, and NAT'ed going back out.  So it doesn't work for me.

I understand that ssh (??) might be able to do forwarding, but I'd love to
have a kernel solution, and it seems that using NAT backwards might work.

Can ipfilter do this?  Is there a better way?

TIA.

-Jon
 --------------------------------------------------------------------
 "Hey - this old machine screams like a snail on acid!" - (a true
  comment by a fellow who recently installed NetBSD on an old server)