Since ipnat provides a method to rewrite packets as they traverse the
firewall, it becomes a convenient place to build in some application level proxies to make
up for well known deficiencies of that application and typical firewalls. For example;
FTP. We can make our firewall pay attention to the packets going across it and when it
notices that it's dealing with an Active FTP session, it can write itself some temporary
rules, much like what happens with keep state, so that the FTP data connection
works. To do this, we use a rule like so:
map tun0 192.168.1.0/24 -> 220.127.116.11/32 proxy port ftp ftp/tcp
You must always remember to place this proxy rule before any portmap rules, otherwise when portmap comes along and matches the packet and rewrites it before the proxy gets a chance to work on it. Remember that ipnat rules are first-match.
There also exist proxies for "rcmd" (which we suspect is berkeley r-* commands which should be forbidden anyway, thus we haven't looked at what this proxy does) and "raudio" for Real Audio PNM streams. Likewise, both of these rules should be put before any portmap rules, if you're doing NAT.