# # Macros # carip="{(self),172.16.222/24,160.48.199/24,192.168.0/24,160.48.199/24,172.16.224/24}" igmp="2" # # Tables # table const {172.16.222.100,172.16.222.101,172.16.222.102,172.16.222.103,172.16.222.104,172.16.222.105,172.16.222.106,172.16.222.107,172.16.222.108,172.16.222.109,172.16.222.110} # Set tcp.closed timeout to 0. This is necessary because the packet filter # handles the closing of a TCP connection symmetrically, but the TCP stack # handles the closing of a TCP connection asymmetrically -- depending on which # side sends the FIN packet first. This leads to situations in which the # TCP stack allows already the reuse of a certain source port, but the firewall # still blocks a new connection with this port if tcp.closed is > 0. # # Please, be aware that the current QNX documentation of the packet filter is # wrong. The description of tcp.finwait describes actually tcp.closed. The # description of tcp.closing describes actually tcp.finwait. It is unclear # when tcp.closing is really used, and it is also unclear which timeout is # applied if a RST packet occurs (according to the description, it should be # tcp.closed, but, as described above, tcp.closed is actually used for a # different purpose). # set timeout interval 5 set timeout tcp.finwait 45 set timeout tcp.closed 0 set reassemble yes # scrub scrub in # # NAT/no-NAT anchors # # Anchor for NAT exclusions (incoming ports) nat-anchor no_nat # NAT anchors nat-anchor nat_NAD nat-anchor nat_BT1 nat-anchor nat_BT2 nat-anchor nat_USB rdr-anchor rtp_miracast_9870 rdr-anchor rtp_miracast_9873 # # PF rules # # Block everything by default block all # anchor for OBD interface rules anchor filter_OBD # voip pass quick on vlan80 inet all # Miracast (RTSP) pass out quick on wfd0 proto tcp from 172.16.222.1 port {64326,64327} to pass in quick on wfd0 proto tcp from to 172.16.222.1 port {64326,64327} # Miracast (HDCP) pass in quick on wfd0 proto tcp from to 172.16.222.1 port {9871,9874} pass out quick on wfd0 proto tcp from 172.16.222.1 port {9871,9874} to # Miracast (RTP) pass in quick on wfd0 proto udp from to 172.16.222.1 port {9870,9873} # Miracast (TouchCommnad) pass in quick on wfd0 proto tcp from to 172.16.222.1 port 4099 pass out quick on wfd0 proto tcp from 172.16.222.1 port 4099 to # Delete next line to use USB Device on en5 pass quick on en5 pass quick on veom0 pass quick on lo0 # For CarPlay useCase pass in quick on uap0 proto tcp from 172.16.224/24 to 172.16.224.1 port {5000,5001,5010,6000,6030,6100,6200,7000,7001,7100,49512:65535} pass in quick on uap0 proto udp from 172.16.224/24 to 172.16.224.1 port {5020,6000,6001,6002,6003,6010,6011,6020,6021,6100,6200,7010,7011,49512:65535} pass out quick on uap0 proto tcp from 172.16.224.1 port {5000,5001,5010,6000,6030,6100,6200,7000,7001,7100,49512:65535} to 172.16.224/24 pass out quick on uap0 proto udp from 172.16.224.1 port {5020,6000,6001,6002,6003,6010,6011,6020,6021,6100,6200,7010,7011,49512:65535} to 172.16.224/24 # multicast groups for carplay pass quick on uap0 proto $igmp # MDNS for carplay via IP4 and IP6 pass quick on uap0 proto udp from any to any port 5353 # allow DNS on uap0 pass quick on uap0 proto udp from any to $carip port 53 keep state # # DHCP Config # # allow DHCP on uap0 pass in quick on uap0 proto udp from 0.0.0.0 port 68 to 255.255.255.255 port 67 pass in quick on uap0 proto udp from 172.16.224/24 port 68 to {255.255.255.255,172.16.224.1} port 67 pass out quick on uap0 proto udp from 172.16.224.1 port 67 to {255.255.255.255,172.16.224/24} port 68 # allow DHCP on wfd0 pass in quick on wfd0 proto udp from 0.0.0.0 port 68 to 255.255.255.255 port 67 pass in quick on wfd0 proto udp from port 68 to {255.255.255.255,172.16.222.1} port 67 pass out quick on wfd0 proto udp from 172.16.222.1 port 67 to {255.255.255.255,} port 68 # # ICMP Config # # allow ICMP on $carip pass quick inet proto icmp from $carip to $carip icmp-type echoreq keep state # # PF anchors # anchor filter_NAD anchor route_NAD anchor filter_BT1 anchor route_BT1 anchor filter_BT2 anchor route_BT2 anchor filter_USB anchor route_USB