As long as the default gateway for the web server on the unroutable
segment is the NAT'ing box, the rdr does work.

say the external interface was fxp0, and the web server's IP was
a.b.c.d, to map 8080 to http, just put:

rdr fxp0 0.0.0.0/0 port 8080 -> a.b.c.d port http

in your ipnat config file.

- Amir


sudog@sudog.com wrote:
> 
> > On Mon, Jun 05, 2000 at 12:46:57PM -0400, Jon Lindgren wrote:
> > > I've been looking at ipfilter, wondering if it can do this:
> > >
> > > I've a private segment, connected via a NetBSD machine to a public
> > > segment.  NAT has been configured, everything is dandy.  Private segment
> > > gets NAT'ed, gets to the public segment, everything is smiles.
> > >
> > > Now, I have a server which sits on the private segment (due to lack of IP
> > > space).  This server, however, only serves web traffic.  I'd like to
> > > redirect one port of my public server (say, port 8080) to port 80 on
> > > the private server.  In this way, I'm kind of hoping to inverse NAT for
> > > _only one port_ (i.e. mapping many public hosts to one private address).
> > >
> > > Using the rdr keyword seems that only the dest address is rewritten, so
> > > the syn gets redirected.  The ack, however, doesn't, so the address is
> > > rdr'ed coming in, and NAT'ed going back out.  So it doesn't work for me.
> >
> > rdr should work; I've used it for this exact purpose in the past.
> 
> Here's a me too for this note. =]
> 
> marc

-- 
Amir Nazary				amir@faxpc.com
Network Operations Manager		Image Power Inc.
1075 West Georgia Street		Vancouver, BC CANADA V6E 3C9
GET A FREE UNIVERSAL MESSAGE PHONE NUMBER AT  http://www.faxpc.com