On Fri, 26 Apr 2002, Marvin Bellamy wrote:

> Has anyone had any difficulty setting their firewalls with redirection 
> to intranet boxes to allow connections from the outside world?  I'm 
> trying to get ipf and ipnat configured, but nothing seems to be working. 
>  I've used tcpdump and I can see the attempts to connection to my web 
> server, and I can connect to my web server from my firewall, but 
> redirection doesn't seem to be working.  Note that I've had my network 
> configured to only allow outgoing connections for at least a year now. 
> It's the inbound redirections that aren't working.  Also, I have a 
> dynamic IP, so I used a "best guess" of 0/32 to do this.  A sample 
> ipnat.rules file configured for a dynamic external IP would help a lot.

My ipnat.rules has 

rdr rl1 0.0.0.0/0 port 2022 -> 192.168.0.2 port 22

which allows me to ssh in to an inside box via port 2022 on the outside.
The "rl1 0.0.0.0/0" bit tells it to use whatever address rl1 (my outside
interface) currently has.  The key is the netmask length.  "/0" means
"don't match against any part of the address", and "/32" means "match all
32 bits of the address."  Specifying 0/32 as the outside address would
tell it to match packets with a destination address of "0.0.0.0", which is
probably not what you want.

Note that ipf needs to be configured to allow inbound connections as well.