Something goes wrong:
en0 - internal (192,168,1,253)
en1 - external (1,2,3,4)
I do this way:
sysctl -w net.inet.ip.forwarding=1
sysctl -w net.inet.ip.redirect=1
mount -Tio-net ipfilter.so
//until now nothing goes out the QNX box from internal net to internet
ipf -Fa -f /etc/ipf.cnf
pass in all
pass out all
ipnat -CF -f /etc/ipnat.cnf
map en1 192.168.1.0/24 → 22.214.171.124/32 portmap udp 20000:30000
map en1 192.168.1.0/24 → 126.96.36.199/32 portmap tcp 30001:60000
map en1 192.168.1.0/24 → 188.8.131.52/32
now the things are going this way:
ICMP packets -no problem (ICMP ECHO aka PING to any host e.g. www.qnx.com)
UDP packets - they seem too (i.Ðµ. DNS aka udp port 53
i.e. nslookup & ipnat -l show sessions on 53 port of external machine. nslookup works fine)
now about TCP — can’t figure out my mistake…
any brouser from the internal host finds the external host been required, but then says - it can’t establish connection
now look at ipnat -l.
i see udp sessions listing (including port numbers on internal box, external QNX interface >>remapped into the right pool<< and external port 53 of name servers
there are also footprints of tcp connections
source, qnx-box-external and external box addresses are listed, but nothing about the ports!!! I suppose the port 80 (aka http) should be listed on the outside box and either should ports on internal and qnx-box… i suppose
Um, I usually do “portmap tcp/udp”, but your rules still looks ok.
I can’t think of any reason why UDP works, but not TCP. Is this
a perticular site, or is every site you tried are all blocked?
Can you goto “www.yahoo.com”, or “www.microsoft.com” ?
Is the internal Box a Windows machine, or another Unix ?
This happens to any TCP packet:
I used IPfiler from repository (v 3.4.27) it works fine for ICMP and UDP - but it corrupts TCP header (it changes port number as axpected, changes checksum, throws half a header away and throws all the packet contents - this is the resulp of working with tcpdump on the local and remote machine)
The one I was able to find in your repository - it seems to work fine… but catches no packets ((((( statistics shows that there are no traffic at all.
All the packets are forwarded to the outer network without any change
I use QNX Momentix 6.2.1A PE
Well, use the one in 3rd party repository is the right choice.
Is you internal box a windows machine? There is one time,
that a IPFilter will block any Windows packets (not intentinally
of cause , but it should be fixed and put into QNX 3rd party
repository now. Send me an email to xtang AT qnx dot com,
I will see if I could get a proper one for you.
Sorry for the intrusion, but I need some help too (you know the feeling…) I’m trying to set up a home firewall. So far I got both interfaces working. I can reach the internet on one, and I can ssh in from another box using the other, so I guess everything shoild be fine. This is the netstat -r output:
Destination Gateway Flags Refs Use Mtu Interface
default 184.108.40.206 UG 1 203 1500 en0
127.0.0.1 127.0.0.1 UH 0 0 33220 lo0
192.168 link#3 UC 1 0 1500 en1
192.168.0.2 00:80:ad:97:5b:16 UHL 2 1066 1500 en1
202.0.35 link#2 UC 1 0 1500 en0
220.127.116.11 00:b0:8e:42:77:83 UHL 1 41 1500 en0
Now I’m not really an expert in the field, and my experience comes from SysV world, so please bare with me.
Q1: Do I need ipfilter.so in order to use the qnx box as a router, ie does it do just filtering, or NAT as well?
Q2: Now the problem. This is what happens when I try to load it:
bash-2.05a# mount -T io-net ipfilter.so
mount: Can’t mount / (type io-net)
mount: Possible reason: No such device or address
Can anyone please shed some light here. Thanks a lot.
ipfilter provide both Filtering and NATing.
The fact you can’t load ipfilter.so, could be some sort of version mismatch.
Make sure you have the latest QNX too.
Thanks for the reply.
I downloaded iso image less than a month ago, and took me some time to sort out network interfaces. I’ve also added the third partyu repository (if that’s the name).
- How do I know that I need to update and what?
- How do I update/upgrade?
It was quite obvious what to do to install new packages, but I don’t have a clue how to maintain it afterwards.