netbsd-help: can't figure out port forwarding. :-(

Subject: can't figure out port forwarding. :-(
To: NetBSD <netbsd-help@netbsd.org>
From: None <fernando@rxp.com>
List: netbsd-help
Date: 05/26/2003 12:02:52
Hi NetBSD Geniuses! :-)

	After reading all the messages about port forwarding, ipf, ipnat, and a few
other subjects in the NetBSD world, I have come to the conclusion that all
these years of playing with M$oft products have made me retarded. :-(

	I am trying to setup a Terminal server behind a NetBSD box. I tried to
understand the port forwarding thing in ipf.conf but there isn't anything in
that file except a default line that the NetBSD installation put in there.
And a few more lines for ipnat.conf. (it's not like I understand either of
them anyway).

	My NetBSD box has 2 nics (ex0-external and ex1-internal). ex0 gets ip
24.25.26.27 as assigned by the isp while ex1 gets ip 192.168.1.250 (I think
I assigned that one or it auto'd to that during install).

The only things in my ipf.conf file is:
-----------------------------------------
	#Prevent IP spoofing.
	block in quick all with short
-----------------------------------------

And all that is in my ipnat.conf file is:
-----------------------------------------
	#!/sbin/ipnat -f -
	#
	# THIS IS WRITTEN FOR IP FILTER 3.2
	#
	# ex0 - (external) connection to ISP, address 24.25.26.27/32
	#
	# ex1 - (internal) network interface, address 192.168.1.250/32
	#
	#
	map ex0 192.168.1.250/24 -> 24.25.26.27/32 portmap tcp/udp 40000:60000
	map ex0 192.168.1.250/24 -> 24.25.26.27/32
	#
	#
	#To make ftp work, using the internal ftp proxy, use:
	#
	map ex0 192.168.1.250/24 -> 24.25.26.27/32 proxy port ftp ftp/tcp
-----------------------------------------

	What I currently have is 3 static ip addresses (only using 2 right now) and
I have a server sitting on one of them (exposed to the internet 'cuz it has
a web site on it). I need to put that server behind the NetBSD box but still
have access to the terminal services and web sites on that machine.

	This is a link to a diagram of what I have now and what I am trying to do.
Although I'm sure my explanation is enough. http://vpndns.com/now.htm

	I tried to make a line like the last one in the ipnat.conf file. It didn't
work. :-\ and I found on the web that the port the client initializes is
port 3389 tcp. How do I create a line in the conf files to allow 3389 entry?
Will the new line include the ip address of the server (the new internal ip
address of the terminal server will be something like 192.168.1.44).

	On a web site I saw an answer to some one else's same question but it only
said: "you only need to redirect your TCP port 3389 through your firewall to
the IP-Addr. of the Terminal Server." ... How??? is it something like:
redirect port 3389 -> 192.168.1.44

	If the above is correct, how would I handle multiple servers if everything
going to port 3389 is going to go to one machine? (magic, right? ;-)

Thank you VERY much for any help at all.
Fernando

PS: "vi" is KILLING me. Can I just share the whole drive and use notepad?
:-P