[ Thanks to Jeremy C.
Reed for this link. ]
“The first thing I did upon getting cable modem access in my
apartment was to get an old Pentium 133 computer, put in two NICs,
and fire up the OpenBSD 2.7 boot floppy. I did this for several
reasons: first, because I heard that OpenBSD runs as a fast network
node even with old hardware; and second, because I knew that it was
probably the most secure operating system I can get in that price
range. While some people may view OpenBSD security as overkill for
a simple home cable modem setup, upon closer examination I found
that OpenBSD’s secure upon install feature did save my butt more
than once; right now, the logfiles show that (literally) not an
hour goes by without my system being scanned by someone on the
internet.”
“The first thing I did after that point [after installing
OpenBSD] was to try to set up Network Address translation for the
rest of my lan. Being familiar with doing that on a Linux box with
a dial-up link, I looked for familiar tools. ipchains wasn’t there,
and neither were the slackware config files. Once again I hit the
OpenBSD FAQ. Upon reading it, I changed my /etc/rc.local file
to start up the NAT and IP Filtering services on bootup (change the
ipfilter= and ipnat= lines to YES). Because I used the GENERIC
kernel that came with the installation, I also had to enable ip
forwarding in the /etc/sysctl.conf file (change the
net.inet.ip.forwarding= from a 0 to a 1). I then edited the
/etc/ipf.rules file to pass in packets from both sides to see how
it would work.”
“Next, I had to edit the /etc/ipnat.rules file to set up the NAT
rules (a simple syntax is map [outside interface] [internal
network/netmask (in CIDR format – 255.255.255.0 corresponds to a
24)] -> [name of outside interface OR ip of outside
interface/netmask] ). My /etc/ipnat.rules looks like the
following:
map ep0 172.16.10.0/24 -> ep0/32 portmap tcp/udp 10000:20000
map ep0 172.16.10.0/24 -> ep0/32
For some reason, the two of those lines are necessary to get things
working.”