On Fri, Oct 20, 2000 at 10:17:03AM -0400, David Woyciesjes wrote:
> ********Please keep my name in the "Send To" field, because I need to be
> approved to join the 'tech-net' apparently. Maybe because the University
> uses e-mail address aliases.**********
> 
> Gents---
> 	Happy Friday to everyone! I'm sure this is an easy question.
> 	I've setup the infamous NetBSD/i386 Firewall from dubbele.com, and
> modified it to use RP-PPPoE to connect over the ADSL line. Now, all I want
> is to allow http (port 80) traffic thru to machine 10.10.10.10. I've RTFM,
> read thru the mail archives, and thought I had the answer (shown below). So
> I get that all in and restarted the firewall, ( BTW, aren't there command to
> renew the ipf and ipnat rules w/o rebooting?) and I can browse to
> 10.10.10.10 fine (from 10.10.10.2), but when I try to browse to 64.252.39.??
> (from 10.10.10.2), I get the "No response, server could be down" message.
> Help.
> 
> P.S. Does anyone use the redirection service on CJB.net?? 
> 
> 
> -----IPNAT.CONF-----
> #!/sbin/ipnat -f -
> # ex0 - (old ext.) connection to ISP, address 10.10.10.20/32
> # ppp0- (new ext.) connection to SNET, DHCP address - 0/32 
> # ep0 - (internal) network interface, address 192.168.1.250/32
> #
> rdr ppp0 0/32 port 80 -> 10.10.10.10 port 80 tcp 
> #
> map ppp0 10.10.10.0/24 -> 0/32 portmap tcp/udp 40000:60000
> map ppp0 10.10.10.0/24 -> 0/32
> #
> #To make ftp work, using the internal ftp proxy, use:
> map ppp0 10.10.10.0/24 -> 0/32 proxy port ftp ftp/tcp
> #
> 
> -----IPF.CONF-----
> #!/sbin/ipf -f -
> #
> # Prevent IP spoofing.
> pass in quick on ppp0 proto tcp from any to 10.10.10.10/32 port = 80

I think you also need:
pass in quick on ppp0 proto tcp from any to any flags S/SA
to allow outgoing connections to work.

> #
> block in quick all with short

Should be
block in quick on ppp0  all with short
otherwise you may block traffic on internal interfaces too.

--
Manuel Bouyer <bouyer@antioche.eu.org>
--