HTMLized from /usr/share/ipf/
/usr/share/ipf/nat.1
Example NAT Rules
# Scenario: Two network interfaces; one connected to internal 192.168.0.XXX
# network, other connected externally to the Internet. Suppose the internal
# interface is named ep1 and the external interface is named xl0. The
# following mapping will provide the internal network with Internet
# connectivity for tcp/udp traffic (note the ep1 name is not used; instead
# its network address is used):
map xl0 192.168.0.0/24 -> xl0/32 portmap tcp/udp 10000:20000
# map all tcp connections from network 10 to the address of the first ppp0
# interface (which can be dynamically assigned prior to use of ipnat)
map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
# map all tcp connections from network 10 into addresses of network 240.1.0
map ppp0 10.0.0.0/8 -> 240.1.0.0/24 portmap tcp/udp 10000:60000
# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
# port number to something between 10,000 and 20,000 inclusive. For all other
# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
# for each new user.
#
map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
map ed1 10.1.0.0/16 -> 240.1.0.0/24
#
# Redirection is triggered for input packets.
# For example, to redirect FTP connections through this box, to the local ftp
# port, forcing them to connect through a proxy, you would use:
#
rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
#
/usr/share/ipf/nat.2
Miscellaneous NAT Configuration Tips
Don't forget to add "net.inet.ip.forwarding=1" to /etc/sysctl.conf or NAT will
not work. NAT requires IP packet forwarding.
Don't forget to add "option IPFILTER" (and maybe "option IPFILTER_LOG"
if you want ipmon(8) to work) to the kernel config file or NAT will
not work. NAT requires the IPF packet filter.
You must have IPF enabled even if you aren't using it for anything or
NAT will not work. The standard way to do this is to make sure
/etc/ipf.rules is installed and edit /etc/rc.conf changing
"ipfilter=NO" to "ipfilter=YES" then reboot.
When you bring up NAT it needs the interface to have an address. If you are
using the ppp0 interface unless you start pppd from /etc/rc you cannot start
NAT there. Instead, in the /etc/ppp/ip-up shell script add
/sbin/ipnat -CF -f /etc/ipnat.rules
to start NAT when the link comes up and the interface has an address.
/usr/share/ipf/nat.3
#!/sbin/ipnat -f -
#
# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
#
# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
#
# ed0 - (internal) network interface, address w.x.y.z/32
#
# If we have only 1 valid IP address from our ISP, then we do this:
#
map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000
map ppp0 w.x.y.z/24 -> a.b.c.d/32
#
# if we get a different dialup IP address each time, then we would use:
#
#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000
#map ppp0 w.x.y.z/24 -> 0/32
#
# If we have a class C address space of valid IP#'s from our ISP, then we can
# do this:
#
#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000
#map ppp0 w.x.y.z/24 -> a.b.c.d/24
#
# or, if we only have a small number of PC's, this:
#
#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000
#map ppp0 w.x.y.v/32 -> a.b.c.E/32
#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000
#map ppp0 w.x.y.u/32 -> a.b.c.F/32
#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000
#map ppp0 w.x.y.t/32 -> a.b.c.G/32
#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000
#map ppp0 w.x.y.s/32 -> a.b.c.H/32
#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000
#map ppp0 w.x.y.r/32 -> a.b.c.I/32
#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000
#map ppp0 w.x.y.q/32 -> a.b.c.J/32
#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000
#map ppp0 w.x.y.p/32 -> a.b.c.K/32
#
# To make ftp work, using the internal ftp proxy, use:
#
map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp