Jump to ID:
Networking

Project Home

Discussions

Wiki

Project Info
Forum Topic - pf.conf and NAT: (16 Items)
   
 
 
pf.conf and NAT  
REF: QNX 6.5

I'm pretty much tearing my hair out over this one.   I have a target board with two nics.  One will be visible on the 
internet and the other will have a NFS server.

The IP's are

host: fpx0:198.144.201.133 fpx1:192.168.1.1

NFS: 192.168.1.2

I want to be able to ftp through the board to the NFS server using ftp.   These are the things I've tried.

1) put a line in /etc/sysctl.conf
net.inet.ip.forwarding=1

I've also tried starting 

# io-pkt-v4-hc -ptcpip forward

The file /etc/pf.conf has the lines
rdr on fxp0 proto TCP from any to 198.144.201.133 port 21 -> 192.168.1.2 port 21
nat on fxp0 from 192.168.1.0/8 to any -> 198.144.201.133

I've also tried a number of variants on this.

Finally I load as follows:

# mount -Ttcpip lsm-pf-v4.so

And... nothing happens.  If I ftp from outside to 198.144.201.133 I get nothing if inetd isn't running, and if it is I 
get the ftpd on 198.144.201.133.   
I can always ftp from this machine to 192.168.1.2 and get the NFS server.

 #pfctl -s nat
gives the error No ALTQ support in kernel :-(.

A few side comments.
There are no error messages I can find generated by bad commands in pf.conf.
The documentation with 6.5 on /etc/pf.conf is dense and impenetrable.   I couldn't find anything to explain the 
occasional '!' inserted in a command.   To figure this out at all I had to google some UNIX docs.

Thanks for any assistance.
Re: pf.conf and NAT  
Hi Mitchell,

One major gotcha with pf is that you need to enable it with pfctl -e.

Yes, to do NAT you'll need forwarding enabled and the pf lsm loaded.

The sysctl and starting io-pkt with forward option are equivalent. But 
I've never used the sysctl.conf. I don't think it's supported.

The Utilities reference isn't intended to be an exhaustive 
documentation. A good reference to pf is here: 
http://www.openbsd.org/faq/pf/index.html Although you should know all 
features aren't supported by io-pkt. It's also good to read the User's 
Guide: 
http://www.qnx.com/developers/docs/6.4.1/io-pkt_en/user_guide/filtering.html 
and the wiki: 
http://community.qnx.com/sf/wiki/do/viewPage/projects.networking/wiki/Filtering_wiki_page

I'm a little confused by your setup. FTP-ing into an NFS server doesn't 
make sense - FTP and NFS are two different protocols. Is your FTP server 
running on your target? your NFS server running on the target or on 
another node and mounted on the target?

Cheers!
/P



On 10-07-19 10:11 PM, Mitchell Schoenbrun wrote:
> REF: QNX 6.5
>
> I'm pretty much tearing my hair out over this one.   I have a target
> board with two nics.  One will be visible on the internet and the
> other will have a NFS server.
>
> The IP's are
>
> host: fpx0:198.144.201.133 fpx1:192.168.1.1
>
> NFS: 192.168.1.2
>
> I want to be able to ftp through the board to the NFS server using
> ftp.   These are the things I've tried.
>
> 1) put a line in /etc/sysctl.conf net.inet.ip.forwarding=1
>
> I've also tried starting
>
> # io-pkt-v4-hc -ptcpip forward
>
> The file /etc/pf.conf has the lines rdr on fxp0 proto TCP from any to
> 198.144.201.133 port 21 ->  192.168.1.2 port 21 nat on fxp0 from
> 192.168.1.0/8 to any ->  198.144.201.133
>
> I've also tried a number of variants on this.
>
> Finally I load as follows:
>
> # mount -Ttcpip lsm-pf-v4.so
>
> And... nothing happens.  If I ftp from outside to 198.144.201.133 I
> get nothing if inetd isn't running, and if it is I get the ftpd on
> 198.144.201.133. I can always ftp from this machine to 192.168.1.2
> and get the NFS server.
>
> #pfctl -s nat gives the error No ALTQ support in kernel :-(.
>
> A few side comments. There are no error messages I can find generated
> by bad commands in pf.conf. The documentation with 6.5 on
> /etc/pf.conf is dense and impenetrable.   I couldn't find anything to
> explain the occasional '!' inserted in a command.   To figure this
> out at all I had to google some UNIX docs.
>
> Thanks for any assistance.
>
>
>
>
> _______________________________________________
>
> Technology http://community.qnx.com/sf/go/post59885
>
Re: pf.conf and NAT  
Patrik,

    Thanks so much for the reply.   I get the following response from
# pfctl -e

no ALTQ support in kernel

and nothing else is changed.   This is QNX 6.5 newly installed.
This doesn't sound right at all.  

Any other suggestions?

Mitchell
Re: pf.conf and NAT  
A small correction

# pfctl -e
no ALTQ support in kernel
pf enabled

So something happened, but nothing changed.  



Re: pf.conf and NAT  
How do you ftp into an NFS server?

On 10-07-20 02:39 PM, Mitchell Schoenbrun wrote:
> A small correction
>
> # pfctl -e
> no ALTQ support in kernel
> pf enabled
>
> So something happened, but nothing changed.
Re: pf.conf and NAT  
The usual way, eg:

ftp 198.144.201.133

Actually I'm making some progress.  

To start with, I've been under the (apparently wrong) assumption that on load the file /etc/pf.conf would get loaded.   
This is not so.

I can load it with "pfctl -f /etc/pf.conf".   This does load the file and if I run "pfctl -s nat" I see the rules.

When I do this, the behavior changes.   Now when I ftp remotely to 198.144.201.133 instead of connecting with the local 
ftpd, the connection times out.   This is good progress.  At least I know something is happening.   I'm guessing now 
that my rules need adjusting.

Re: pf.conf and NAT  

On 10-07-20 03:08 PM, Mitchell Schoenbrun wrote:
> The usual way, eg:
>
> ftp 198.144.201.133

But FTP is not NFS. They're different and incompatible protocols.

/P
Re: pf.conf and NAT  
Patrik,

    I'm sorry I'm confusing you.   The device is a My-Book World Edition.   You connect to it via Ethernet.   It has a 
shared hard disk on board.   You can access it through various protocols including, NFS, ftp and CIF.   I was just 
calling it a NFS device casually.

Mitchell
Re: pf.conf and NAT  
Well, that kinda changes everything :-)

On 10-07-20 03:20 PM, Mitchell Schoenbrun wrote:
> Patrik,
>
>      I'm sorry I'm confusing you.   The device is a My-Book World Edition.   You connect to it via Ethernet.   It has 
a shared hard disk on board.   You can access it through various protocols including, NFS, ftp and CIF.   I was just 
calling it a NFS device casually.
>
> Mitchell
>
>
>
> _______________________________________________
>
> Technology
> http://community.qnx.com/sf/go/post60045
>
Re: pf.conf and NAT  
Not my problem getting ftp redirected and NAT working :-).
Re: pf.conf and NAT  
I have a little hope generated here.
With the following rule:

rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 -> 127.0.0.1 port 21

When I ftp as follows:

# ftp -P 8080 198.144.201.133

I get a proper login and an "FTP>" prompt.  If I enter any commands I get hung.


 
Re: pf.conf and NAT  

On 10-07-20 05:04 PM, Mitchell Schoenbrun wrote:
> I have a little hope generated here.
> With the following rule:
>
> rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 ->  127.0.0.1 port 21
>
> When I ftp as follows:
>
> # ftp -P 8080 198.144.201.133
>
> I get a proper login and an "FTP>" prompt.  If I enter any commands I get hung.

FTP doesn't just use port 21 it'll use a separate data channel too. 
Passive mode may also be required depending on your setup...
/P
Re: pf.conf and NAT  
I agree that ftp is somewhat complicated so I changed strategy.   I'm just trying to get pf working and able to forward 
and do NAT translations.   Instead I'm trying to map port 80 (HTTP) to the NFS device.   Before we get into it again, 
the NFS device has a small webserver on it to allow administration.   Below I show two files, a script I run and the 
rules file.   Below that is the result of running the script which all looks good.  I tested the NFS webserver from my 
host going directly to http://192.168.1.2 and it works just fine.   But after running the script and accessing http://
198.144.201.133 from another machine on the network, I get no response.   I can't make the rules file any simpler and I 
can't think of anything else to get it going.   

go2: - script
slay io-pkt-v4-hc
sleep 2
io-pkt-v4-hc -ptcpip forward –dspeedo sleep 2
ifconfig fxp0 inet 198.144.201.133 netmask 255.255.255.112
ifconfig fxp1 inet 192.168.1.1 netmask 255.255.255.0
mount -Ttcpip lsm-pf-v4.so
sleep 1
pfctl -f /etc/pf2.conf
pfctl -e
echo "Rules in Effect"
pfctl -s nat

/etc/pf2.conf:
rdr on fxp0 proto TCP from any to 198.144.201.133 port 80 -> 192.168.1.2 port 80

# sh -v go2
# sh -v go2
slay io-pkt-v4-hc
sleep 2
io-pkt-v4-hc -ptcpip forward -dspeedo
sleep 2
ifconfig fxp0 inet 198.144.201.133 netmask 255.255.255.112
ifconfig fxp1 inet 192.168.1.1 netmask 255.255.255.0
mount -Ttcpip lsm-pf-v4.so
sleep 1
pfctl -f /etc/pf2.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
echo "Rules in Effect"
Rules in Effect
pfctl -s nat
No ALTQ support in kernel
ALTQ related functions disabled
rdr on fxp0 inet proto tcp from any to 198.144.201.133 port = http -> 92.168.1.2 port 80
Re: pf.conf and NAT  
Mitchell,

Can you post your solution for getting the packet forwarding resolved? I am trying a similar thing using pf to redirect 
a port to another machine. My redirect logic is working fine. I tested by redirecting a high port (4000) to  localhost 
port 21 and verifying I could telnet to the box on port 4000.

rdr pass on @int_if inet proto tcp from any to any port 4000 -? 127.0.0.1 port 21

The problem I am running into is getting PF to forward my packet. I have tried to put a line in /etc/sysctl.conf
net.inet.ip.forwarding=1

But, like you, that does not work.

When I enter the forward option through io-pkt-v4 (below) all of my interfaces disappear when I do an "ifconfig -a".

# io-pkt-v4-hc -ptcpip forward

Can someone please explain how to turn packet forwarding on correctly with QNX 6.5 and have it persist on reboot? Thanks
!
Re: pf.conf and NAT  
One quick update. I did find a way to set IP fowarding with sysctl:

sysctl -w net.inet.ip.forwarding=1

However, I am still not getting packing to redirect out of the box.

> Mitchell,
> 
> Can you post your solution for getting the packet forwarding resolved? I am 
> trying a similar thing using pf to redirect a port to another machine. My 
> redirect logic is working fine. I tested by redirecting a high port (4000) to 
>  localhost port 21 and verifying I could telnet to the box on port 4000.
> 
> rdr pass on @int_if inet proto tcp from any to any port 4000 -? 127.0.0.1 port
>  21
> 
> The problem I am running into is getting PF to forward my packet. I have tried
>  to put a line in /etc/sysctl.conf
> net.inet.ip.forwarding=1
> 
> But, like you, that does not work.
> 
> When I enter the forward option through io-pkt-v4 (below) all of my interfaces
>  disappear when I do an "ifconfig -a".
> 
> # io-pkt-v4-hc -ptcpip forward
> 
> Can someone please explain how to turn packet forwarding on correctly with QNX
>  6.5 and have it persist on reboot? Thanks!


Re: pf.conf and NAT  
Have you enabled with "pfctl -e" ?

I believe this forwards all traffic between two interfaces...

     io-pkt-v4-hc -d speedo -d tigon3 -p tcpip forward -p pf-v4
     sysctl -w net.inet.ip.forwarding=1
     pfctl -A -f /etc/pf.conf
     pfctl -e

  with /etc/pf.conf as...
     pass in  quick all
     pass out quick all

Of course you will want to adjust the rules...