I have completed the above task and it works on all machine except one. On a firewall machine we have problems as it appears "ipnat" is unhappy about the kernel not having IPV6 support.
The end result is: "Installing NAT rules ... 70:ioctl(SIOCGNATS) object size mismatch for copying out ipfobj" upon starting up ipnat. I have read about this exact error/problem on the FreeBSD platform and they have a method of compiling the kernel with a make.conf options called: NOINET6="YES" NO_INET6="YES" WITHOUT_INET6="YES" Their bug report number when someone reported the same error from ipnat was: 190964 Does NetBSD have such a compile time option? I have already commented out: #options INET6 #pseudo-device stf #options BRIDGE_IPF In my config file I have: options IPFILTER_LOG # ipmon(8) log support options IPFILTER_LOOKUP # ippool(8) support options IPFILTER_COMPAT # Compat for IP-Filter #options IPFILTER_DEFAULT_BLOCK # block all packets by default pseudo-device ipfilter # IP filter (firewall) and NAT Hoping there is a way to do this especially with the latest SA's reporting IPV6 vulnerabilities. Thank you Scott..