Help starting IPFilter

Please help!!!
Something goes wrong:

en0 - internal (192,168,1,253)
en1 - external (1,2,3,4)
I do this way:

sysctl -w net.inet.ip.forwarding=1

sysctl -w net.inet.ip.redirect=1

mount -Tio-net

//until now nothing goes out the QNX box from internal net to internet

ipf -Fa -f /etc/ipf.cnf

pass in all
pass out all

ipnat -CF -f /etc/ipnat.cnf

map en1 → portmap udp 20000:30000
map en1 → portmap tcp 30001:60000
map en1 →

now the things are going this way:
ICMP packets -no problem (ICMP ECHO aka PING to any host e.g.
UDP packets - they seem too (i.е. DNS aka udp port 53
i.e. nslookup & ipnat -l show sessions on 53 port of external machine. nslookup works fine)
now about TCP — can’t figure out my mistake…
any brouser from the internal host finds the external host been required, but then says - it can’t establish connection
now look at ipnat -l.
i see udp sessions listing (including port numbers on internal box, external QNX interface >>remapped into the right pool<< and external port 53 of name servers
there are also footprints of tcp connections
source, qnx-box-external and external box addresses are listed, but nothing about the ports!!! I suppose the port 80 (aka http) should be listed on the outside box and either should ports on internal and qnx-box… i suppose
WHY??? :frowning: :question:

Um, I usually do “portmap tcp/udp”, but your rules still looks ok.

I can’t think of any reason why UDP works, but not TCP. Is this
a perticular site, or is every site you tried are all blocked?
Can you goto “”, or “” ?
Is the internal Box a Windows machine, or another Unix ?

This happens to any TCP packet:
I used IPfiler from repository (v 3.4.27) it works fine for ICMP and UDP - but it corrupts TCP header (it changes port number as axpected, changes checksum, throws half a header away and throws all the packet contents - this is the resulp of working with tcpdump on the local and remote machine)
The one I was able to find in your repository - it seems to work fine… but catches no packets ((((( statistics shows that there are no traffic at all.
All the packets are forwarded to the outer network without any change
I use QNX Momentix 6.2.1A PE

Well, use the one in 3rd party repository is the right choice.
Is you internal box a windows machine? There is one time,
that a IPFilter will block any Windows packets (not intentinally
of cause :slight_smile:, but it should be fixed and put into QNX 3rd party
repository now. Send me an email to xtang AT qnx dot com,
I will see if I could get a proper one for you.

Sorry for the intrusion, but I need some help too (you know the feeling…) I’m trying to set up a home firewall. So far I got both interfaces working. I can reach the internet on one, and I can ssh in from another box using the other, so I guess everything shoild be fine. This is the netstat -r output:
Routing tables

Destination Gateway Flags Refs Use Mtu Interface
default UG 1 203 1500 en0 UH 0 0 33220 lo0
192.168 link#3 UC 1 0 1500 en1 00:80:ad:97:5b:16 UHL 2 1066 1500 en1
202.0.35 link#2 UC 1 0 1500 en0 00:b0:8e:42:77:83 UHL 1 41 1500 en0

Now I’m not really an expert in the field, and my experience comes from SysV world, so please bare with me.
Q1: Do I need in order to use the qnx box as a router, ie does it do just filtering, or NAT as well?
Q2: Now the problem. This is what happens when I try to load it:
bash-2.05a# mount -T io-net
mount: Can’t mount / (type io-net)
mount: Possible reason: No such device or address

Can anyone please shed some light here. Thanks a lot.


ipfilter provide both Filtering and NATing.

The fact you can’t load, could be some sort of version mismatch.
Make sure you have the latest QNX too.

Thanks for the reply.
I downloaded iso image less than a month ago, and took me some time to sort out network interfaces. I’ve also added the third partyu repository (if that’s the name).

  1. How do I know that I need to update and what?
  2. How do I update/upgrade?
    It was quite obvious what to do to install new packages, but I don’t have a clue how to maintain it afterwards.