> -----Original Message-----
> From: Dancho Penev [mailto:dpenev@mail.bg]
> Sent: Monday, May 26, 2003 4:47 PM
> To: fernando@rxp.com
> Cc: netbsd-help@NetBSD.ORG
> Subject: Re: can't figure out port forwarding. :-(
>
>
> On Mon, May 26, 2003 at 12:02:52PM -0400, fernando@rxp.com wrote:
> >From: <fernando@rxp.com>
> >To: "NetBSD" <netbsd-help@netbsd.org>
> >Subject: can't figure out port forwarding. :-(
> >Date: Mon, 26 May 2003 12:02:52 -0400
> >
> >Hi NetBSD Geniuses! :-)
> >
> >	After reading all the messages about port forwarding, ipf,
> ipnat, and a few
> >other subjects in the NetBSD world, I have come to the
> conclusion that all
> >these years of playing with M$oft products have made me retarded. :-(
> >
> >	I am trying to setup a Terminal server behind a NetBSD box.
> I tried to
> >understand the port forwarding thing in ipf.conf but there isn't
> anything in
> >that file except a default line that the NetBSD installation put
> in there.
> >And a few more lines for ipnat.conf. (it's not like I understand
> either of
> >them anyway).
> >
> >	My NetBSD box has 2 nics (ex0-external and ex1-internal).
> ex0 gets ip
> >24.25.26.27 as assigned by the isp while ex1 gets ip
> 192.168.1.250 (I think
> >I assigned that one or it auto'd to that during install).
> >
> >The only things in my ipf.conf file is:
> >-----------------------------------------
> >	#Prevent IP spoofing.
> >	block in quick all with short
> >-----------------------------------------
> >
> >And all that is in my ipnat.conf file is:
> >-----------------------------------------
> >	#!/sbin/ipnat -f -
> >	#
> >	# THIS IS WRITTEN FOR IP FILTER 3.2
> >	#
> >	# ex0 - (external) connection to ISP, address 24.25.26.27/32
> >	#
> >	# ex1 - (internal) network interface, address 192.168.1.250/32
> >	#
> >	#
> >	map ex0 192.168.1.250/24 -> 24.25.26.27/32 portmap tcp/udp
> 40000:60000
> >	map ex0 192.168.1.250/24 -> 24.25.26.27/32
> >	#
> >	#
> >	#To make ftp work, using the internal ftp proxy, use:
> >	#
> >	map ex0 192.168.1.250/24 -> 24.25.26.27/32 proxy port ftp ftp/tcp
> >-----------------------------------------
> >
> >	What I currently have is 3 static ip addresses (only using
> 2 right now) and
> >I have a server sitting on one of them (exposed to the internet
> 'cuz it has
> >a web site on it). I need to put that server behind the NetBSD
> box but still
> >have access to the terminal services and web sites on that machine.
> >
> >	This is a link to a diagram of what I have now and what I
> am trying to do.
> >Although I'm sure my explanation is enough. http://vpndns.com/now.htm
> >
> >	I tried to make a line like the last one in the ipnat.conf
> file. It didn't
> >work. :-\ and I found on the web that the port the client initializes is
> >port 3389 tcp. How do I create a line in the conf files to allow
> 3389 entry?
> >Will the new line include the ip address of the server (the new
> internal ip
> >address of the terminal server will be something like 192.168.1.44).
> >
> >	On a web site I saw an answer to some one else's same
> question but it only
> >said: "you only need to redirect your TCP port 3389 through your
> firewall to
> >the IP-Addr. of the Terminal Server." ... How??? is it something like:
> >redirect port 3389 -> 192.168.1.44
>
> Actually it's:
>
> rdr ex0 24.25.26.27/32 3389 -> 192.168.1.44/32 3389 tcp
>

seems no matter how many different ways i try that, i can't get it to work.
:-(
I put it in the ipnat.conf file exactly as you show it and reboot. still
nothing.

i even went to the extra time to set up a web server on that same machine so
i can see if it's just the terminal server messing things up. but rdr to
the -> 192... 80 tcp don't work either.

> Read ipnat.conf man page for more details.

whoa, i didn't even imagine that the ipmat.conf file would have it's own man
page. and it's a big one too. i have a lot of reading to do.

>
> >
> >	If the above is correct, how would I handle multiple
> servers if everything
> >going to port 3389 is going to go to one machine? (magic, right? ;-)
> >
> >Thank you VERY much for any help at all.
> >Fernando
> >
> >PS: "vi" is KILLING me. Can I just share the whole drive and use notepad?
> >:-P
>
> No, you can't ;-)

ack! yer KILLIN' ME! :-)

>
> >
> >
>
> --
> Regards,
> Dancho Penev


Thanks again.
Fernando