[Previous] [Contents] [Index] [Next]

Appendix: Examples

This appendix includes examples of the following:

Buildfile for an NFS-mounting target

Here's a sample buildfile for an NFS-mounting target.


Note: In a real buildfile, you can't use a backslash (\) to break a long line into shorter pieces, but we've done that here, just to make the buildfile easier to read.

###########################################################################
##
## QNX Neutrino 6.x on the MIPS Malta evaluation board (Galileo GT64120A)
##
###########################################################################
##
## SUPPORTED DEVICES:
##
## SERIAL:  RS-232 ports UART0 and UART1
## PCI:     4 PCI slots
## NETWORK: AMD 79C973
## FLASH:   4MB Intel Strata Flash
## USB:     UHCI USB Host Controller
##
##  - For detailed instructions on the default example configuration for
##    these devices see the "CONFIGURING ON-BOARD SUPPORTED HARDWARE"
##    section below the build script section, or refer to the BSP docs.
##  - Tip: Each sub-section which relates to a particular device is marked
##         with its tag (ex. SERIAL). You can use the search features of
##         your editor to quickly find and add or remove support for
##         these devices.
##
###########################################################################
##
## NOTES:
##
###########################################################################

###########################################################################
## START OF BUILD SCRIPT 
###########################################################################

[image=0x800a0000]
[virtual=mipsle,srec] .bootstrap = {
###########################################################################
## default frequency for 4kc is 80Mhz; adjust -f parameter for different 
## frequencies
###########################################################################
    startup-malta -f 80000000 -v
    PATH=:/proc/boot procnto-32 -v 
}

[+script] .script = {
    procmgr_symlink ../../proc/boot/libc.so.2 /usr/lib/ldqnx.so.2

    display_msg Welcome to QNX Neutrino 6.x on the Malta evaluation board

    #######################################################################
    ## SERIAL driver
    #######################################################################
    devc-ser8250 -e -c1843200 -b38400 0x180003f8,0x80020004 \
0x180002f8,0x80020003 &
    waitfor /dev/ser1
    reopen /dev/ser1

    slogger &
    pipe &

    #######################################################################
    ## PCI server
    #######################################################################
    display_msg Starting PCI server...

    pci-malta &
    waitfor /dev/pci 4
    
    #######################################################################
    ## FLASH driver
    #######################################################################
    # display_msg Starting flash driver...
    #
    # devf-malta &
    
    #######################################################################
    ## NETWORK driver
    ##  - substitute your IP address for 1.2.3.4
    #######################################################################
    display_msg Starting on-board ethernet with large TCP/IP stack...
     
    io-net -dpcnet -ptcpip
    waitfor /dev/io-net/en0 4
    ifconfig en0 1.2.3.4

    #######################################################################
    ## REMOTE_DEBUG (gdb or Momentics)
    ##  - refer to the help documentation for the gdb, qconn and the IDE
    ##    for more information on remote debugging
    ##  - the commands shown require that NETWORK is enabled too
    #######################################################################
    # devc-pty &
    # waitfor /dev/ptyp0 4
    # qconn port=8000



    #######################################################################
    ## USB driver
    #######################################################################
    # display_msg Starting USB driver...
    #
    # io-usb -duhci &
    # waitfor /dev/io-usb/io-usb 4
    
    #######################################################################
    ## These env variables are inherited by all the programs which follow
    #######################################################################
    SYSNAME=nto
    TERM=qansi
    PATH=:/proc/boot:/bin:/sbin:/usr/bin:/usr/sbin
    LD_LIBRARY_PATH=:/proc/boot:/lib:/usr/lib:/lib/dll

    #######################################################################
    ## NFS_REMOTE_FILESYSTEM
    ##  - This section is dependent on the NETWORK driver
    ##  - Don't forget to properly configure and run the nfsd daemon on the
    ##    remote fileserver.
    ##  - substitute the hostname or IP address of your NFS server for
    ##    nfs_server. The server must be exporting
    ##    "/usr/qnx630/target/qnx6/mipsle".
    #######################################################################
    display_msg Mounting NFS filesystem...
     
    waitfor /dev/socket 4
    fs-nfs3 nfs_server:/usr/qnx630/target/qnx6/mipsle /mnt

    [+session] ksh &
}

[type=link] /bin/sh=/proc/boot/ksh
[type=link] /dev/console=/dev/ser1
[type=link] /tmp=/dev/shmem

###########################################################################
## uncomment for NFS_REMOTE_FILESYSTEM
###########################################################################
[type=link] /bin=/mnt/bin
[type=link] /sbin=/mnt/sbin
[type=link] /usr/bin=/mnt/usr/bin
[type=link] /usr/sbin=/mnt/usr/sbin
[type=link] /lib=/mnt/lib
[type=link] /usr/lib=/mnt/usr/lib
[type=link] /etc=/mnt/etc

libc.so
libm.so

###########################################################################
## uncomment for NETWORK driver
###########################################################################
devn-pcnet.so
libsocket.so
npm-tcpip.so

###########################################################################
## uncomment for USB driver
###########################################################################
# devu-uhci.so
# libusbdi.so

[data=c]
devc-ser8250

###########################################################################
## uncomment for REMOTE_DEBUG (gdb or Momentics)
###########################################################################
# devc-pty
# qconn

###########################################################################
## uncomment for PCI server
###########################################################################
pci-malta
pci

###########################################################################
## uncomment for FLASH driver
###########################################################################
# devf-malta
# flashctl

###########################################################################
## uncomment for NETWORK driver
###########################################################################
io-net
ifconfig
nicinfo
netstat 
ping

###########################################################################
## uncomment for USB driver
###########################################################################
# io-usb
# usb

###########################################################################
## uncomment for NFS_REMOTE_FILESYSTEM
###########################################################################
fs-nfs3

###########################################################################
## general commands
###########################################################################
ls
ksh
pipe
pidin
uname
slogger
sloginfo
slay

###########################################################################
## END OF BUILD SCRIPT
###########################################################################

qnxbasedma.build

Here's the buildfile for .boot on an x86 platform, qnxbasedma.build:


Note: In a real buildfile, you can't use a backslash (\) to break a long line into shorter pieces, but we've done that here, just to make the buildfile easier to read.

#
# The buildfile for QNX Neutrino booting on a PC
#
[virtual=x86,bios +compress] boot = {
    # Reserve 64k of video memory to handle multiple video cards 
    startup-bios -s64k

    # PATH is the *safe* path for executables
    #    (confstr(_CS_PATH...))
    # LD_LIBRARY_PATH is the *safe* path for libraries
    #    (confstr(_CS_LIBPATH)) i.e. This is the path searched
    #    for libs in setuid/setgid executables.
    PATH=/proc/boot:/bin:/usr/bin LD_LIBRARY_PATH=/proc/boot:\
/lib:/usr/lib:/lib/dll procnto
}

[+script] startup-script = {
    # To save memory make everyone use the libc in the boot
    # image! For speed (fewer symbolic lookups), point to
    # libc.so.2 instead of libc.so
    procmgr_symlink ../../proc/boot/libc.so.2 /usr/lib/ldqnx.so.2

    # Default user programs to priority 10, other scheduler (pri=10o)
    # Tell "diskboot" this is a hard disk boot (-b1)
    # Tell "diskboot" to use DMA on IDE drives (-D1)
    # Start 4 text consoles buy passing "-n4" to "devc-con" (-o)
    # By adding "-e" Linux ext2 filesystem will be mounted as well.
    [pri=10o] PATH=/proc/boot diskboot -b1 -D1 -odevc-con,-n4
}

# Include the current "libc.so". It will be created as a real
# file using its internal "SONAME", with "libc.so" being a
# symlink to it. The symlink will point to the last "libc.so.*"
# so if an earlier libc is needed (e.g. libc.so.1), add it
# before the this line.
libc.so

# Include all tie files for the default filesystems
libcam.so
io-blk.so
cam-disk.so
fs-qnx4.so
fs-dos.so
fs-ext2.so
cam-cdrom.so
fs-cd.so

# These programs only need to be run once from the boot image.
# "data=uip" will waste less memory as the ram from the boot
# image will be used directly without making a copy of the data
# (i.e. as the default "data=cpy" does). When they have been
# run once, they will be unlinked from /proc/boot.
[data=uip]
seedres
pci-bios
devb-eide
devb-amd
devb-aha2
devb-aha4
devb-aha7
devb-aha8
devb-ncr8
diskboot
slogger
fesh

For more information about buildfiles (including some other samples), see Building Embedded Systems.

Buildfile that doesn't use diskboot

This buildfile is for an OS image that starts up without using diskboot.


Note: In a real buildfile, you can't use a backslash (\) to break a long line into shorter pieces, but we've done that here, just to make the buildfile easier to read.

#
# The build file for QNX Neutrino booting on a PC
#
[virtual=x86,bios +compress] boot = {
    startup-bios -s64k
    PATH=/proc/boot:/bin:/usr/bin LD_LIBRARY_PATH=/proc/boot:\
/lib:/usr/lib:/lib/dll procnto-smp
}

[+script] startup-script = {
    display_msg "  "
    display_msg "Neutrino Inside! (QNX 6.3.0)"
    display_msg "  "
    procmgr_symlink ../../proc/boot/libc.so.2 /usr/lib/ldqnx.so.2

    display_msg "---> Starting PCI Services"
    seedres
    pci-bios
    waitfor /dev/pci

    display_msg "---> Starting Console Manager"
    devc-con -n8
    waitfor /dev/con1
    reopen /dev/con1

    display_msg "---> Starting EIDE Driver"
    devb-eide blk cache=64M,auto=partition,vnode=2000,ncache=2000,\
noatime,commit=low dos exe=all
    waitfor /dev/hd0
    waitfor /dev/hd1

    # Mount one QNX 4 filesystem as /, and another as /home.
    # Also, mount a DOS partition and the CD drive.

    mount /dev/hd0t79 /
    mount /dev/hd1t78 /home
    mount -tdos /dev/hd1t12 /fs/hd1-dos
    mount -tcd /dev/cd0 /fs/cd0
    
    display_msg "---> Starting /etc/system/sysinit"
    ksh -c /etc/system/sysinit
}

libc.so
libcam.so
io-blk.so
cam-disk.so
fs-qnx4.so
fs-dos.so
fs-ext2.so
cam-cdrom.so
fs-cd.so

[data=c]
seedres
pci-bios
devb-eide
slogger
ksh
devc-con
mount

.profile

When you create a new user account, the user's initial .profile is copied from /etc/skel/.profile (see Managing User Accounts). Here's what's in that file:

# default .profile
if test "$(tty)" != "not a tty"; then
echo 'edit the file .profile if you want to change your environment.'
echo 'To start the Photon windowing environment, type "ph".'
fi

This profile runs the tty utility to get the name of the terminal that's open as standard input. If there is a terminal, .profile simply displays a couple of helpful hints.

You might want to set some environment variables:

EDITOR
The path to your favorite editor (the default is vi).
ENV
The name of the profile that ksh should run whenever you start a shell.

The code for these changes could look like this:

export EDITOR=/usr/local/bin/jed
export ENV=$HOME/.kshrc

.kshrc

Here's an example of a profile that ksh runs if you set the ENV environment variable as described above for .profile:

alias rm="rm -i"
alias ll="ls -l"
export PS1='$(pwd) $ '

This profile does the following:

Configuration files for spooler

This section includes the configuration files to use for remote printing, using lpr, SAMBA, and NCFTP.


Note: You can find SAMBA and NCFTP in the third-party repository.

Using lpr

PNPCMD=POSTSCRIPT

#----------------------------------------------------------------------
#
# The following macros are expanded for each filter command line
# $d - Device
# $m - PnP manufacture/model id
# $n - Printer name
# $s - Spooldir name
# $$ - A real $
#
#----------------------------------------------------------------------

FileVersion             =   2
#   printer_name is the name that you specified in the /etc/printcap file.
Filter                  =   ps:$d:lpr -Pprinter_name
Filter                  =   phs:ps:phs-to-ps

Supported Resolution    =   300 * 300,
                            600 * 600,
                            1200 * 1200

Supported PaperSize     =   8500 * 11000 : Letter,
                            8500 * 14000 : Legal

Supported Orientation   =   0 : Portrait,
                            1 : Landscape

Supported Intensity     =   0   : Min,
                            100 : Max

Supported InkType       =   1 : "B&W",
                            3 : "Color (CMY)",
                            4 : "Color (CMYK)"

Resolution              =   600 * 600
PaperSize               =   8500 * 11000 : Letter
Orientation             =   0 : Portrait
Intensity               =   50
InkType                 =   4 : "Color (CMYK)"
NonPrintable            =   500:Left, 500:Top, 500:Right, 500:Bottom

#----------------------------------------------------------------------

if PNPID=HEWLETT-PACKARDHP_850DDE
PNPSTR=MFG:HEWLETT-PACKARD;MDL:HP 8500;CLS:PRINTER;CMD:POSTSCRIPT;

Supported PaperSize     =    8500 * 11000 : Letter,
                             8500 * 14000 : Legal,
                             7250 * 10500 : Exec,
                            11000 * 17000 : B,
                             8262 * 11692 : A4,
                             5846 *  8262 : A5,
                             7000 *  9875 : B5,
                            11692 * 16524 : A3

#----------------------------------------------------------------------

if PNPID=HEWLETT-PACKARDHP_25A854
PNPSTR=MFG:HEWLETT-PACKARD;MDL:HP 2500C;CLS:PRINTER;CMD:PCL,MLC,PML,POSTSCRIPT;

Supported PaperSize     =    8500 * 11000 : Letter,
                             8500 * 14000 : Legal,
                             7250 * 10500 : Exec,
                            11000 * 17000 : B,
                             8262 * 11692 : A4,
                             5846 *  8262 : A5,
                             7000 *  9875 : B5,
                            11692 * 16524 : A3

#----------------------------------------------------------------------

Using NCFTP

PNPCMD=POSTSCRIPT

#----------------------------------------------------------------------
#
# The following macros are expanded for each filter command line
# $d - Device
# $m - PnP manufacture/model id
# $n - Printer name
# $s - Spooldir name
# $$ - A real $
#
#----------------------------------------------------------------------

FileVersion             =   2
#   x.x.x.x is the IP address of the printer
#   prt0 is the port used on the printer (in this case, port zero).
Filter                  =   ps:$d:ncftpput -V -E x.x.x.x /prt0
Filter                  =   phs:ps:phs-to-ps

Supported Resolution    =   300 * 300,
                            600 * 600,
                            1200 * 1200

Supported PaperSize     =   8500 * 11000 : Letter,
                            8500 * 14000 : Legal

Supported Orientation   =   0 : Portrait,
                            1 : Landscape

Supported Intensity     =   0   : Min,
                            100 : Max

Supported InkType       =   1 : "B&W",
                            3 : "Color (CMY)",
                            4 : "Color (CMYK)"

Resolution              =   600 * 600
PaperSize               =   8500 * 11000 : Letter
Orientation             =   0 : Portrait
Intensity               =   50
InkType                 =   4 : "Color (CMYK)"
NonPrintable            =   500:Left, 500:Top, 500:Right, 500:Bottom

#----------------------------------------------------------------------

if PNPID=HEWLETT-PACKARDHP_850DDE
PNPSTR=MFG:HEWLETT-PACKARD;MDL:HP 8500;CLS:PRINTER;CMD:POSTSCRIPT;

Supported PaperSize     =    8500 * 11000 : Letter,
                             8500 * 14000 : Legal,
                             7250 * 10500 : Exec,
                            11000 * 17000 : B,
                             8262 * 11692 : A4,
                             5846 *  8262 : A5,
                             7000 *  9875 : B5,
                            11692 * 16524 : A3

#----------------------------------------------------------------------

if PNPID=HEWLETT-PACKARDHP_25A854
PNPSTR=MFG:HEWLETT-PACKARD;MDL:HP 2500C;CLS:PRINTER;CMD:PCL,MLC,PML,POSTSCRIPT;

Supported PaperSize     =    8500 * 11000 : Letter,
                             8500 * 14000 : Legal,
                             7250 * 10500 : Exec,
                            11000 * 17000 : B,
                             8262 * 11692 : A4,
                             5846 *  8262 : A5,
                             7000 *  9875 : B5,
                            11692 * 16524 : A3

#----------------------------------------------------------------------

Using SAMBA

PNPCMD=POSTSCRIPT

#----------------------------------------------------------------------
#
# The following macros are expanded for each filter command line
# $d - Device
# $m - PnP manufacture/model id
# $n - Printer name
# $s - Spooldir name
# $$ - A real $
#
#----------------------------------------------------------------------

FileVersion             =   2

# You need to have an environment variable, DEVICE_URI, set for smbspool
# to access the SAMBA shared printer. 
#
# Form for smb command used with smbspool which is set in DEVICE_URI
#     No Username and password required:
#         - DEVICE_URI = "smb://server/printer"
#         - DEVICE_URI = "smb://workgroup/server/printer"
#     Username and password required:
#         - DEVICE_URI = "smb://username:password@server/printer"
#         - DEVICE_URI = "smb://username:password@workgroup/server/printer"
#
#     Where     username = SAMBA username
#               password = SAMBA password
#               workgroup = SAMBA workgroup   
#               server  = SAMBA server name
#               printer = SAMBA shared printer name
#
# Use of DEVICE_URI environment variable allows you to set this entry for the smbspool to
# automatically look for it when it isn't included in the command line.
#

Filter                  =   ps:$d:smbspool 1 NULL none 1 1  
Filter                  =   phs:ps:phs-to-ps

Supported Resolution    =   300 * 300,
                            600 * 600,
                            1200 * 1200

Supported PaperSize     =   8500 * 11000 : Letter,
                            8500 * 14000 : Legal

Supported Orientation   =   0 : Portrait,
                            1 : Landscape

Supported Intensity     =   0   : Min,
                            100 : Max

Supported InkType       =   1 : "B&W",
                            3 : "Color (CMY)",
                            4 : "Color (CMYK)"

Resolution              =   600 * 600
PaperSize               =   8500 * 11000 : Letter
Orientation             =   0 : Portrait
Intensity               =   50
InkType                 =   4 : "Color (CMYK)"
NonPrintable            =   500:Left, 500:Top, 500:Right, 500:Bottom

#----------------------------------------------------------------------

if PNPID=HEWLETT-PACKARDHP_850DDE
PNPSTR=MFG:HEWLETT-PACKARD;MDL:HP 8500;CLS:PRINTER;CMD:POSTSCRIPT;

Supported PaperSize     =    8500 * 11000 : Letter,
                             8500 * 14000 : Legal,
                             7250 * 10500 : Exec,
                            11000 * 17000 : B,
                             8262 * 11692 : A4,
                             5846 *  8262 : A5,
                             7000 *  9875 : B5,
                            11692 * 16524 : A3

#----------------------------------------------------------------------

if PNPID=HEWLETT-PACKARDHP_25A854
PNPSTR=MFG:HEWLETT-PACKARD;MDL:HP 2500C;CLS:PRINTER;CMD:PCL,MLC,PML,POSTSCRIPT;

Supported PaperSize     =    8500 * 11000 : Letter,
                             8500 * 14000 : Legal,
                             7250 * 10500 : Exec,
                            11000 * 17000 : B,
                             8262 * 11692 : A4,
                             5846 *  8262 : A5,
                             7000 *  9875 : B5,
                            11692 * 16524 : A3

#----------------------------------------------------------------------

PPP with CHAP authentication between two Neutrino boxes

The following script starts the Point-to-Point Protocol daemon, pppd, with a chat script, waits for the modem to ring, answers it, and starts PPP services with CHAP (Challenge-Handshake Authentication Protocol) authentication. After PPP services have terminated, or an error on modem answer occurs, it restarts and waits for the next call:

#!/bin/sh

SERIAL_PORT=$1
DEFAULT_SERIAL_PORT=/dev/ser1
PPPD="/usr/sbin/pppd"
DO_CHAT="chat -v ABORT BUSY ABORT CARRIER ABORT ERROR \
 TIMEOUT 32000000 RING ATA TIMEOUT 60 CONNECT \d\d\d"
STTY="/bin/stty"
ECHO="/bin/echo"
LOCAL_IP=10.99.99.1
REMOTE_IP=10.99.99.2

if [ "$SERIAL_PORT" == "" ]; then
    SERIAL_PORT=$DEFAULT_SERIAL_PORT
fi

#do some initialization
$STTY +sane +raw < $SERIAL_PORT

while [ true ]; do
    $ECHO "Waiting on modem $SERIAL_PORT..."
    $ECHO "Starting PPP services..."    
    $PPPD connect "$DO_CHAT" debug nodetach auth +chap \
$LOCAL_IP:$REMOTE_IP $SERIAL_PORT
done;

The TIMEOUT is 32000000 because it's a long period of time before the timeout takes effect; chat doesn't allow an infinite wait. The /etc/ppp/chap-secrets is as follows:

# Client  Server  Secret    Addresses allowed
##############################################################
*  *  "password" *

You can also extend the chat script that answers the modem to be a little more robust with specific events that should restart the answering service other than the events given. You might want to add other features as well.

Here's the buildfile used to set up a machine to allow telnet connections (to log in for shell access) and tftp access (for file transfer) over PPP:

[virtual=x86,bios +compress] .bootstrap = {
    startup-bios -K8250.2f8^0.57600.1843200.16 -v
    PATH=/proc/boot procnto -vvv
}
[+script] startup-script = {
    seedres 
    pci-bios &
    waitfor /dev/pci
    # Start 1 keyboard console
    devc-con -n8 &
    # Start serial A driver
    waitfor /dev/con1
    reopen /dev/con1
    devc-ser8250 -e -b38400
    waitfor /dev/ser1
    pipe
    touch /tmp/syslog
    syslogd
    devc-pty
    io-net -ppppmgr -pttcpip
    waitfor /dev/io-net/ip_ppp
    inetd &

    display_msg "[Shell]"
    [+session] PATH=/bin:/proc/boot /bin/sh &
}

# Make /tmp point to the shared memory area...
[type=link] /tmp=/dev/shmem

# Programs require the runtime linker (ldqnx.so) to be at
# a fixed location
[type=link] /usr/lib/ldqnx.so.2=/proc/boot/libc.so
[type=link] /bin/sh=/bin/ksh

# We use the "c" shared lib (which also contains the
# runtime linker)
libc.so
libsocket.so
npm-ttcpip.so
npm-pppmgr.so

# The files above this line can be shared by multiple
# processes
[data=c]
devc-con
devc-ser8250
devc-pty
pci-bios
seedres
pipe
io-net
/bin/echo=echo
/bin/stty=stty
tail
pci
chat
ifconfig
ping
syslogd
touch
./modem_ans_ppp.sh

#Services (telnetd etc) config
inetd
/usr/sbin/telnetd=telnetd
/usr/sbin/tftpd=tftpd
/usr/sbin/pppd=pppd
/bin/login=login
/bin/ksh=ksh

/etc/ppp/chap-secrets = {
# Client    Server     Secret     Addrs
#########################################
*           *           "password"  *
}
/etc/syslog.conf = {
*.*     /tmp/syslog
}

# Inetd config Files
/etc/services= /etc/services
/etc/protocols= /etc/protocols
/etc/termcap= /etc/termcap
/etc/passwd= /etc/passwd
/etc/default/login= /etc/default/login
/etc/resolv.conf= /etc/resolv.conf
/etc/shadow = /etc/shadow

/etc/inetd.conf = {
telnet      stream  tcp nowait  root    /usr/sbin/telnetd   in.telnetd
tftp        dgram   udp wait    root    /usr/sbin/tftpd     in.tftpd
}

/etc/hosts = {
127.1   localhost.localdomain   localhost
10.99.99.1  server  server
10.99.99.2  client  client
}

Note: To build the image using this buildfile, you'll need to be root, because it takes a copy of /etc/passwd and /etc/shadow (which make passwords easy to remember) but you can also put your own version of them into the buildfile as inline files.

Using two computers with modems, you can have one automatically answer, establish PPP services, and authenticate. You can then telnet and tftp to the server from a client. Use these client pppd parameters (in addition to the same chap-secrets file):

pppd connect "chat -v -f/tmp/dial_modem" auth +chap /dev/ser3

but use the appropriate serial port for the client-side modem instead of /dev/ser3. Make sure you use the full path to your modem script. The chat script, dial_modem, is fairly simple:

ABORT 'NO CARRIER'
ABORT 'ERROR'
ABORT 'BUSY'

'' ATDTxxxxxxx
CONNECT ''

Configuration files for setting up a firewall

If you've installed the IP Filtering software from the third-party repository, you'll find various documents and configuration files in /opt/ipfilter.

ipf.conf.sample

Here's a sample configuration file for IP Filtering, which you'll find in /opt/ipfilter/rules/ipf.conf.sample:

#
# Copyright 2001, QNX Software Systems Ltd. All Rights Reserved
# 
# This source code has been published by QNX Software Systems Ltd. (QSSL).
# However, any use, reproduction, modification, distribution or transfer of
# this software, or any software which includes or is based upon any of this
# code, is only permitted under the terms of the QNX Open Community License
# version 1.0 (see licensing.qnx.com for details) or as otherwise expressly
# authorized by a written license agreement from QSSL. For more information,
# please email licensing@qnx.com.
#
#
# Sample of filter rules

block in on en1 all head 100
block return-icmp(host-unr) in proto tcp from any to 10.9.0.1 port = 25 group 100
block return-rst in proto tcp from any to 10.9.0.1 port = 23 group 100

# First line create a "group" head. If a packet matched a group head rule,
# the packet will *only* go through that group. (and skip other groups).
# we set a group say we are interesting any packets coming in on en1 interface
#
# The second line, is saying, if there is a TCP packet coming in (through en1),
# try to reach 10.9.0.1 port 25 (smtp), we block the packet, and send a ICMP
# error "HOST UNREACHABLE" back.
#
# The third line, is almost the same as second, except we are interesting in
# port 23 (telnet), and we will send a "TCP RESET" packet back.

block in on en0 all head 200
pass in quick proto tcp from any to 10.9.0.1 port = 8823 group 100 keep state group 200
block in log proto tcp/udp from any to 10.9.0.1/32 port 20000 <> 40000 group 200
block in log body proto tcp from any to 10.9.0.1/32 flags S/SA group 200

# This is another set of rules (rule group 200). Any packet coming in from en0
# (our "external" interface), will fall in this group
#
# The "pass" line, is opened a "secret port", 8823, let who ever try to contact
# this port pass through. So you could run a "telnetd" on that port and just let
# your trust people know that port. The keyword "quick" make any packet matched
# this rule being proceed (pass) as of test against further rules.
#
# The third line is to block any tcp/udp packet who have a port not in range
# 20000 - 40000 (our port mapping range). That means we don't have any services
# on the gateway, except using these port to do NAT (and except the service 
# we run on "secret" 8823. 
# Also, we "log" any blocked packet info into our internal log buffer, so 
# you could use "ipmon -oI" to check it later. This rule blocks most port scanning
# utils.
# 
# The forth line says, if a TCP packet is coming in, and it has the SYN flag
# set, but ACK not set, this is a regular TCP "handshake" packet. We block it,
# and "log body" means log the "whole" packet, so we could use ipmon to examine
# it later.

ipnat.conf

Here's a sample configuration file for Network Address Translation (NAT), which you'll find in /opt/ipfilter/rules/ipnat.conf.sample:

#
# Copyright 2001, QNX Software Systems Ltd. All Rights Reserved
# 
# This source code has been published by QNX Software Systems Ltd. (QSSL).
# However, any use, reproduction, modification, distribution or transfer of
# this software, or any software which includes or is based upon any of this
# code, is only permitted under the terms of the QNX Open Community License
# version 1.0 (see licensing.qnx.com for details) or as otherwise expressly
# authorized by a written license agreement from QSSL. For more information,
# please email licensing@qnx.com.
#
#
#
# NAT rules, the sample network looks like this
#
#
#   box1 (192.0.0.2) <--->  (192.0.0.1) Gateway (10.9.0.1) <---> whole network 10
#
# The "box1" is internal machine, the "Gateway" is the one running ipfilter.so.
# The "10.9.0.1" is suppose the external internet.
#
# On "Gateway", start io-net like this:
#
#     io-net -d epic -d speedo -p tcpip forward
#     ifconfig en0 10.9.0.1
#     ifconfig en1 192.0.0.1
#     mount -Tio-net ipfilter.so
#
# Now the rules, first NAT rules

map en0 192.0.0.0/8 -> 10.9.0.1/32 proxy port ftp ftp/tcp
map en0 192.0.0.0/8 -> 10.9.0.1/32 portmap tcp/udp 20000:40000 mssclamp 1452
map en0 192.0.0.0/8 -> 10.9.0.1/32

# The first line tells NAT to using the builtin ftp-proxy
#
# The second line tells NAT to mapping any TCP/UDP packet on en0,
# from 192.0.0.0/8 to 10.9.0.1/32 (The "/<num>" is the netmask).
# It also tells NAT map the original port into a port range 
# between 20000 - 40000.
# the "mssclamp 1452" is optional, in case your external interface
# has MTU less than 1500 (for example, a ppp0 running pppoe have
# MTU as 1492)
#
# The third line tells NAT mapping any packet if they are not
# matching above 2. This basically make ICMP packet being mapped.

rdr en1 10.9.0.1/32 port 80 -> intra.qnx.com port 80 tcp

# This "rdr" rules, is saying if the internal "box1" try to 
# access gateway's port 80, redirect it to intra.qnx.com

[Previous] [Contents] [Index] [Next]