port-i386: Re: IPFiler ( ipf ) for dial-up and LAN

Subject: Re: IPFiler ( ipf ) for dial-up and LAN
To: zuan . <me_izwan@hotmail.com>
From: Andrew Gillham <gillham@vaultron.com>
List: port-i386
Date: 04/10/2002 17:59:02

On Thu, Apr 11, 2002 at 07:16:29AM +0800, zuan . wrote:
> I'm trying to figure out how to make the IPFilter works for my netbsd
> rite now i have 13 computer networked an the netbsd as a dialup internet 
> gateway rite now i only found the sample for static ip ipf firewalling but 
> not for dynamic IP.
> The netbsd ip is 192.168.1.1 and my networked client use 192.168.1.2 and so 
> on. can anyone give me an example or some a easy to understand FAQS or Guide 
> to ipf firewalling for netbsd as an internet gateway for LAN and mosty for 
> dialup

Look in /usr/share/examples/ipf/mediaone.
Basically put this in /etc/ipnat.conf:
map ppp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map ppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 1024:65535
map ppp0 192.168.1.0/24 -> 0/32

You also need to enable 'options GATEWAY' in your kernel, or add the
following to /etc/sysctl.conf:
	net.inet.ip.forwarding=1

Also in /etc/rc.conf:
	ipnat=YES

-Andrew