From owner-freebsd-hackers@freebsd.org  Thu Dec 27 11:09:42 2018
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02F18135965A
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Thu, 27 Dec 2018 11:09:42 +0000 (UTC) (envelope-from wjw@digiware.nl)
Received: from smtp.digiware.nl (smtp.digiware.nl [176.74.240.9])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D95306E3D9;
 Thu, 27 Dec 2018 11:09:40 +0000 (UTC) (envelope-from wjw@digiware.nl)
Received: from router.digiware.nl (localhost.digiware.nl [127.0.0.1])
 by smtp.digiware.nl (Postfix) with ESMTP id A14A7BBC7F;
 Thu, 27 Dec 2018 12:09:38 +0100 (CET)
X-Virus-Scanned: amavisd-new at digiware.com
Received: from smtp.digiware.nl ([127.0.0.1])
 by router.digiware.nl (router.digiware.nl [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id He93D0vHDwFY; Thu, 27 Dec 2018 12:09:37 +0100 (CET)
Received: from [192.168.101.70] (unknown [192.168.101.70])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.digiware.nl (Postfix) with ESMTPSA id 4AC0ABBC7E;
 Thu, 27 Dec 2018 12:09:37 +0100 (CET)
Subject: Re: rcorder for vpn-like tunnels during early rc.d startup
To: Eugene Grosbein <eugen@grosbein.net>, Craig Leres <leres@freebsd.org>,
 Dave Cottlehuber <dch@skunkwerks.at>, freebsd-hackers@freebsd.org
References: <1545487265.3497867.1616158504.69E513B4@webmail.messagingengine.com>
 <f9a31f17-0e5f-265a-60ac-010e0c16bc22@grosbein.net>
 <b86faac8-9428-7935-6444-a9a1ac032250@freebsd.org>
 <8a8c6e8e-4781-9e03-36cf-b7974cb719bc@grosbein.net>
From: Willem Jan Withagen <wjw@digiware.nl>
Message-ID: <f2d7e351-f895-5f9e-d4fd-d6db34ae5ba4@digiware.nl>
Date: Thu, 27 Dec 2018 12:09:39 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.3
MIME-Version: 1.0
In-Reply-To: <8a8c6e8e-4781-9e03-36cf-b7974cb719bc@grosbein.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: D95306E3D9
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 spf=pass (mx1.freebsd.org: domain of wjw@digiware.nl designates 176.74.240.9
 as permitted sender) smtp.mailfrom=wjw@digiware.nl
X-Spamd-Result: default: False [-3.92 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4];
 R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-0.999,0];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 DMARC_NA(0.00)[digiware.nl]; TO_DN_SOME(0.00)[];
 RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_MED(-0.20)[9.240.74.176.list.dnswl.org : 127.0.9.2];
 MX_GOOD(-0.01)[smtp.digiware.nl,www.digiware.nl];
 NEURAL_HAM_SHORT(-0.75)[-0.752,0];
 IP_SCORE(-0.66)[asn: 28878(-3.31), country: NL(0.02)];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:28878, ipnet:176.74.224.0/19, country:NL];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Dec 2018 11:09:42 -0000

On 22/12/2018 19:28, Eugene Grosbein wrote:
> 23.12.2018 1:22, Craig Leres wrote:
> 
>> On 12/22/18 7:18 AM, Eugene Grosbein wrote:
>>> You should not try to make it start before packet filters, that is wrong
>>
>> How should I handle the case where I start several openvpn tunnels and have references to them in my pf.conf? My solution was to write a rc.d script that gives a configured list of tun devices up to a minute to come up and then do a "service pf reload".
> 
> And this is right thing to do :-)
> I mean, if your filtering rules depend on ever-changing list of interfaces,
> just reconfigure the filter when the list changes
> or better teach the filter to catch up with changes automatically, if possible.

Might want to use the ifup/ifdown scripts to add the specifics for the 
VPN that just came up. Tricky part is how to get things in the tables at 
the right place.

So with IPFW I use specific line numbers reserved to insert certain 
rules. (using counter rules to split the fw code into blocks)

But it sort of feels like going back in the 80's basic programming.

--WjW