/etc/ipf.rules
is automatically submitted to
IPfilter at boot time. This file contains the filtering rules.
Be sure to edit /etc/rc.conf to enable ipfilter as well.
See the examples in /usr/share/ipf/* for help.
The file /etc/ipnat.rules
is automatically submitted to
ipnat at boot time. This file contains the NAT rules.
Be sure to edit /etc/rc.conf to enable ipnat as well.
See the examples in /usr/share/ipf/* for help.
NAT rules take one of two forms.
It goes without saying that you must be root to do any of the following.
map
interface internal-addresses ->
external-address [ portmap tcp 1025:60000 ]
e.g.:
map ne0 172.16.2.0/24 -> 206.47.27.13/32 portmap tcp 1025:60000
interface
is the network interface connected to the ADSL
modem.
internal-address
describes the range of addresses used on your
LAN that you want translated, in CIDR format. If you don't understand this,
then go back to the basics.
external-address
describes the address(es) that should appear
on the outside. For ADSL and Wave use, this should be your IP address.
The "/32" is required.
The "portmap ..." stuff tells IPfilter to select a new source port for outgoing TCP connections. You will want to do this for TCP connections. You can't do it for UDP connections unless you also use IPfilter for packet filtering (in order to keep connection state). You can't do it for ICMP at all.
rdr
interface external-address port
portnum
->
internal-address port
portnum2
e.g.:
rdr ne0 206.47.27.13/32 port 21 -> 172.16.2.197 port 21
interface
is the network interface connected to the ADSL modem.
external-address
is your ADSL IP address. The "/32" is
required.
portnum
is the port number of the service that you want to
allow in.
internal-address
is the IP address for the server that will
handle the given service request.
portnum2
is the port number to use on the inside. This need not
be the same as portnum
although it usually is. For example,
you can run a private web server on port 80, and a public server on port
8080. Then, in your redirect rule:
rdr ne0 206.47.27.13/32 port 80 -> 172.16.2.197 port 8080
ipnat
allows you to enter rules interactively from the
shell prompt. I advise against this. Instead, put all your rules into
a file, and reload from scratch each time you make a change. This way,
you are guaranteed to be able to reproduce the state of your NAT at any
time in the future.
ipnat
will not permit duplicate rules. For this reason, you
must flush the NAT table before loading new rules, as follows:
ipnat -C
ipnat -f nat.adsl
ipnat -l
displays a list of the currently active rules and
mappings. I don't know what the last three numbers on each line mean.
In any case, the output is better than nothing.