# You should not edit this file.  Instead, create a file with the same
# name as this one, but with a .rul extension instead of .def.  The
# .rul file will override this one.
#
# However, any changes you make to this file will be preserved.

#: Masquerade packets from internal networks
#if [ -n "$INTERNAL" -a -n "$EXTERNAL_IN" -a -n "$PFW" ]; then
if [ -n "$EXTERNAL_IN" -a -n "$PFW" ]; then
    for pool in $PFWPOOLS; do
	eval "PROTOS=\"\$PFWPROTO_$pool\""
	eval "ORIGPORTS=\"\$PFWORIGPORTS_$pool\""
	eval "PFWIP=\"\$PFWIP_$pool\""
	eval "PFWPORT=\"\$PFWPORT_$pool\""
	for PROTO in $PROTOS; do
	    for ORIGPORT in $ORIGPORTS; do
		ORIGPORT_DASH=$(echo $ORIGPORT | sed 's/:/-/g')
		for j in $EXTERNAL_IN; do
		    ipnm_cache $j
		    EXTIP=$IPOFIF
		    case $MASQMETHOD in
		    ipfwadm)
			ipmasqadm portfw -a -P $PROTO -L $EXTIP $ORIGPORT_DASH -R $PFWIP $PFWPORT
			;;
		    ipchains)
			ipmasqadm portfw -a -P $PROTO -L $EXTIP $ORIGPORT_DASH -R $PFWIP $PFWPORT
			;;
		    netfilter)
			$IPTABLES -A PREROUTING -t nat -p $PROTO -d $EXTIP --dport $ORIGPORT -j DNAT --to $PFWIP${PFWPORT:+:$PFWPORT}
			;;
		    esac
		    for i in $INTERNAL; do
		    	ipnm_cache $i
			case $MASQMETHOD in
			netfilter)
			    $IPTABLES -A FORWARD -i $j -o $i -p $PROTO --dport $ORIGPORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# TODO: This should be done only for the interface containing the portforward host
#			    if [ "$PORTFW_REMAP_LOCAL" = "y" ]; then
#				$IPTABLES -A POSTROUTING -t nat -p $PROTO -d $PFWIP ${PFWPORT:+--dport $PFWPORT} -s $IPOFIF/$NMOFIF -j SNAT --to $IPOFIF
#			    fi
			    ;;
        		esac
    		    done
		done
	    done
	done
    done
fi