non-newbie with a newbie question (ipnat)

[john abbott <john.abbott@pca.state.mn.us>]

I am trying to wrap my brain around this whole ipf/ipnat situation.  OK,
here is the deal:  I have a 2.9 box sitting in front of about 10
servers.  I am running ipf and ipnat, to only allow connections to to
certain ports from the world and admin ports and such from only certain
machines.  Now I want to be able to backup my servers from outside my
firewall.

To do this backup I need to open up ports 7937-9936 and 10001-30000 (but
also some around 600 as well, I am still tracking this down.)  So I open
these port in ipf -- in fact at one point I even did "pass in log quick
on fxp0 from any to any" and still I can't backup.  My backup program
gives me no useful error messages.  

This makes me think the real trouble is ipnat.

So here is ipnat as I understand it, I have at the begining:
map fxp0 192.168.1.0/24 -> 156.98.18.15/32 portmap tcp/udp 10000:60000
map fxp0 192.168.1.0/24 -> 156.98.18.15/32
So as I understand it, this is mapping all the outgoing connections to
the 18.15 address?  But what about the incoming connections? I have
other rules in the ipnat.rules that redirect the web and ssh servers to
specific machines and ports such as:
rdr fxp0 156.98.18.25/32 port 22 -> 192.168.1.18 port 22

But my question is, how about the ports that my backup program uses?  If
I have to specifically say port 22 on one external address should be
pointing to port 22 on the private machine, how is my backup server
going to connect from the outside to port 60x or 793x when I don't know
the exact port number?  Is there some type of default redirect I am not
using?  or do I not understand the map command? 

--ja