From owner-freebsd-hackers@freebsd.org Thu Dec 27 12:31:08 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9DF6135D3C5 for ; Thu, 27 Dec 2018 12:31:08 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from smtp.digiware.nl (smtp.digiware.nl [IPv6:2001:4cb8:90:ffff::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 43C8F71348; Thu, 27 Dec 2018 12:31:08 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from router.digiware.nl (localhost.digiware.nl [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id 4ED74708C6; Thu, 27 Dec 2018 13:31:04 +0100 (CET) X-Virus-Scanned: amavisd-new at digiware.com Received: from smtp.digiware.nl ([127.0.0.1]) by router.digiware.nl (router.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuFdLnVjNi8k; Thu, 27 Dec 2018 13:31:03 +0100 (CET) Received: from [192.168.11.152] (unknown [192.168.11.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.digiware.nl (Postfix) with ESMTPSA id 4A894708C1; Thu, 27 Dec 2018 13:31:03 +0100 (CET) Subject: Re: rcorder for vpn-like tunnels during early rc.d startup To: Eugene Grosbein , Craig Leres , Dave Cottlehuber , freebsd-hackers@freebsd.org References: <1545487265.3497867.1616158504.69E513B4@webmail.messagingengine.com> <8a8c6e8e-4781-9e03-36cf-b7974cb719bc@grosbein.net> <5C24B9CB.1070800@grosbein.net> From: Willem Jan Withagen Message-ID: <003d8528-c72b-5861-8c7f-7032731408d5@digiware.nl> Date: Thu, 27 Dec 2018 13:31:03 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <5C24B9CB.1070800@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: nl X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Dec 2018 12:31:08 -0000 On 27/12/2018 12:38, Eugene Grosbein wrote: > On 27.12.2018 18:09, Willem Jan Withagen wrote: > >> Might want to use the ifup/ifdown scripts to add the specifics for the >> VPN that just came up. Tricky part is how to get things in the tables at >> the right place. >> >> So with IPFW I use specific line numbers reserved to insert certain >> rules. (using counter rules to split the fw code into blocks) >> >> But it sort of feels like going back in the 80's basic programming. > Current ipfw implementation allows you to use 'tun*' or table containing interface names: > > ipfw table NAME create type iface > ipfw add 2000 allow ip from any to any via 'table(NAME)' > > ipfw table NAME add tap0 > ipfw table NAME add tun0 > > Note you do not have to change ruleset at all; you add or delete table records only. > Nice, I was wondering about this, if tables would work for that. That is fine if all your VPNs have the same rules, but if they have different properties and are in and outgoing you will want a bit more control over whats going on. Hence my basic feeling.... :) --WjW