Chapter 4. Configuring IPNAT

Table of Contents

4.1. Introduction
4.2. What Our /etc/ipnat.conf Needs to Look Like
4.3. Other Nifty Stuff
4.4. IPNAT With Dial Up Networking

4.1. Introduction

Network Address Translation (NAT) is part of IPfilter, which comes by default with the NetBSD release. The job of NAT is to take a source IP address and translate it to another out a different network interface. This is also known as masquerading.

Luckily for you (as the exhausted reader) and I (the exhausted author) configuring NAT is pretty simple, especially with the example we are using.

4.2. What Our /etc/ipnat.conf Needs to Look Like

It is very simple:

map ep0 -> proxy port ftp ftp/tcp
map ep0 -> portmap tcp/udp 10000:20000
map ep0 ->

First we are proxying ftp thru the ep0 interface. The next line says go ahead and map all tcp/udp traffic right on through the interface and assign each out bound "connection" a port from 10000 to 20000 and finally the last line says, just plain map from to For our purposes this is all we need so the rest of this document is of limited interest to those of you in a crunch trying to get a firewall up.

4.3. Other Nifty Stuff

A few items of interest for the curious, we can also map into the local network as well:

map fxp0 -> (add whatever service here)

This might be handy to connect to a specific server inside (such as a web server) or if you recall the DMZ example in the overview document, we may wish to translate into the DMZ from the world. Additionally it can be used as a poor man's router to link internal networks together - but there are much better was of doing that.

Instead of this, however, most administrators would locate the web server within a DMZ and use ipfilter to ensure only http and ssh connections can be made to the system.

If you look closely you will see all outbound connections map to a single IP address, what if you wanted to be able to map to more? You can do so by simply changing the single address to a network:

map ep0 ->

Finally, the portmap range can be adjusted to whatever you feel is necessary.

4.4. IPNAT With Dial Up Networking

Many home users use dial up connections to access the internet. Many dial up connections are assigned a dynamic IP address every time the user connects. At first glance it may appear that some method for putting this new address into /etc/ipnat.conf is required. Luckily, that is not so. Take note of how addresses can be shown on the internet side of the ipnat.conf file. Actually entire subnets can be used like so:

map ep0 ->

What this is saying is that addresses from can be assigned any address on's network. Keeping that in mind, on a dial up connection you know you will be given one and one address, so the following entries effectively do the same:

map ppp0 -> 0/32 proxy port ftp ftp/tcp
map ppp0 -> 0/32 portmap tcp/udp 40000:60000
map ppp0 -> 0/32 

Here we are saying map anything on to one single address, the address the interface will have.