Actually, this isn't what he's talking about. The Linux implementation
of IPFW includes some kernel mods that let a firewall translate
(masquerade) "outgoing" requests, so that the packets have the firewall's
IP address, and then retranslates the responses so that they get to the
It's called "proxy".
It's not "masquerading" because you can't set up incoming FTP requests
(for instance) to one of the proxied machines.
The "correct BSD way" of implementing this would be to provide a packet
forwarding daemon that used the tunneling device to do it's thing.
It seems the latest ip-filter version (3.0.2) comes with NAT to make
something like this ( http://coombs.anu.edu.au/�valon/ip-filter.html)