126 lines
4.1 KiB
Plaintext
126 lines
4.1 KiB
Plaintext
#
|
|
# Macros
|
|
#
|
|
|
|
carip="{(self),172.16.222/24,160.48.199/24,192.168.0/24,160.48.199/24,172.16.224/24}"
|
|
igmp="2"
|
|
|
|
#
|
|
# Tables
|
|
#
|
|
|
|
table <wfd> const {172.16.222.100,172.16.222.101,172.16.222.102,172.16.222.103,172.16.222.104,172.16.222.105,172.16.222.106,172.16.222.107,172.16.222.108,172.16.222.109,172.16.222.110}
|
|
|
|
# Set tcp.closed timeout to 0. This is necessary because the packet filter
|
|
# handles the closing of a TCP connection symmetrically, but the TCP stack
|
|
# handles the closing of a TCP connection asymmetrically -- depending on which
|
|
# side sends the FIN packet first. This leads to situations in which the
|
|
# TCP stack allows already the reuse of a certain source port, but the firewall
|
|
# still blocks a new connection with this port if tcp.closed is > 0.
|
|
#
|
|
# Please, be aware that the current QNX documentation of the packet filter is
|
|
# wrong. The description of tcp.finwait describes actually tcp.closed. The
|
|
# description of tcp.closing describes actually tcp.finwait. It is unclear
|
|
# when tcp.closing is really used, and it is also unclear which timeout is
|
|
# applied if a RST packet occurs (according to the description, it should be
|
|
# tcp.closed, but, as described above, tcp.closed is actually used for a
|
|
# different purpose).
|
|
#
|
|
set timeout interval 5
|
|
set timeout tcp.finwait 45
|
|
set timeout tcp.closed 0
|
|
set reassemble yes
|
|
# scrub
|
|
scrub in
|
|
|
|
#
|
|
# NAT/no-NAT anchors
|
|
#
|
|
|
|
# Anchor for NAT exclusions (incoming ports)
|
|
nat-anchor no_nat
|
|
|
|
# NAT anchors
|
|
nat-anchor nat_NAD
|
|
nat-anchor nat_BT1
|
|
nat-anchor nat_BT2
|
|
nat-anchor nat_USB
|
|
rdr-anchor rtp_miracast_9870
|
|
rdr-anchor rtp_miracast_9873
|
|
|
|
#
|
|
# PF rules
|
|
#
|
|
|
|
# Block everything by default
|
|
block all
|
|
|
|
# anchor for OBD interface rules
|
|
anchor filter_OBD
|
|
# voip
|
|
pass quick on vlan80 inet all
|
|
|
|
|
|
# Miracast (RTSP)
|
|
pass out quick on wfd0 proto tcp from 172.16.222.1 port {64326,64327} to <wfd>
|
|
pass in quick on wfd0 proto tcp from <wfd> to 172.16.222.1 port {64326,64327}
|
|
# Miracast (HDCP)
|
|
pass in quick on wfd0 proto tcp from <wfd> to 172.16.222.1 port {9871,9874}
|
|
pass out quick on wfd0 proto tcp from 172.16.222.1 port {9871,9874} to <wfd>
|
|
# Miracast (RTP)
|
|
pass in quick on wfd0 proto udp from <wfd> to 172.16.222.1 port {9870,9873}
|
|
# Miracast (TouchCommnad)
|
|
pass in quick on wfd0 proto tcp from <wfd> to 172.16.222.1 port 4099
|
|
pass out quick on wfd0 proto tcp from 172.16.222.1 port 4099 to <wfd>
|
|
|
|
|
|
# Delete next line to use USB Device on en5
|
|
pass quick on en5
|
|
pass quick on veom0
|
|
pass quick on lo0
|
|
# For CarPlay useCase
|
|
pass in quick on uap0 proto tcp from 172.16.224/24 to 172.16.224.1 port {5000,5001,5010,6000,6030,6100,6200,7000,7001,7100,49512:65535}
|
|
pass in quick on uap0 proto udp from 172.16.224/24 to 172.16.224.1 port {5020,6000,6001,6002,6003,6010,6011,6020,6021,6100,6200,7010,7011,49512:65535}
|
|
pass out quick on uap0 proto tcp from 172.16.224.1 port {5000,5001,5010,6000,6030,6100,6200,7000,7001,7100,49512:65535} to 172.16.224/24
|
|
pass out quick on uap0 proto udp from 172.16.224.1 port {5020,6000,6001,6002,6003,6010,6011,6020,6021,6100,6200,7010,7011,49512:65535} to 172.16.224/24
|
|
# multicast groups for carplay
|
|
pass quick on uap0 proto $igmp
|
|
# MDNS for carplay via IP4 and IP6
|
|
pass quick on uap0 proto udp from any to any port 5353
|
|
# allow DNS on uap0
|
|
pass quick on uap0 proto udp from any to $carip port 53 keep state
|
|
|
|
#
|
|
# DHCP Config
|
|
#
|
|
|
|
# allow DHCP on uap0
|
|
pass in quick on uap0 proto udp from 0.0.0.0 port 68 to 255.255.255.255 port 67
|
|
pass in quick on uap0 proto udp from 172.16.224/24 port 68 to {255.255.255.255,172.16.224.1} port 67
|
|
pass out quick on uap0 proto udp from 172.16.224.1 port 67 to {255.255.255.255,172.16.224/24} port 68
|
|
|
|
# allow DHCP on wfd0
|
|
pass in quick on wfd0 proto udp from 0.0.0.0 port 68 to 255.255.255.255 port 67
|
|
pass in quick on wfd0 proto udp from <wfd> port 68 to {255.255.255.255,172.16.222.1} port 67
|
|
pass out quick on wfd0 proto udp from 172.16.222.1 port 67 to {255.255.255.255,<wfd>} port 68
|
|
|
|
#
|
|
# ICMP Config
|
|
#
|
|
|
|
# allow ICMP on $carip
|
|
pass quick inet proto icmp from $carip to $carip icmp-type echoreq keep state
|
|
|
|
#
|
|
# PF anchors
|
|
#
|
|
|
|
anchor filter_NAD
|
|
anchor route_NAD
|
|
anchor filter_BT1
|
|
anchor route_BT1
|
|
anchor filter_BT2
|
|
anchor route_BT2
|
|
anchor filter_USB
|
|
anchor route_USB
|