Date: Sun, 07 Mar 2004 11:42:12 -0700 From: Tim Pushor <timp@crossthread.com> To: Barbish3@adelphia.net Cc: questions@freebsd.org Subject: Re: tun devices and firewall Message-ID: <404B6D04.20806@crossthread.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGOEHBFOAA.Barbish3@adelphia.net> References: <MIEPLLIBMLEEABPDBIEGOEHBFOAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
JJB, Wow those are some very powerful opinions that you have and are touting as fact. Regardless, I was not asking about the relative stability of the current branch, or advise on coding rules. I simply have a firewall that I have a default deny, and I write rules for what I want to allow. I have a couple of on again off again PPP over SSH tunnels (that I will get rid of, *that* seems like a dirty solution to me) that I am sure are going to give me grief. I also use mpd to allow a couple of pptp connections, and packets coming from ng0-4 were failing (because there was no rule allowing them). I added a rule to allow traffic coming from ng0-4, and would like to do something similar for the tun devices. Of course, there are other ways to accomplish this, I was just wondering if I could get the interfaces created before the firewall started up somehow. I did try to add a number to the tun device in the kernel config file, but it didn't like it (as I had suspected). Its just that adding a rule based on the tun devices is fairly clean, and easy to understand by someone going through the rules .. Tim JJB wrote: >PF is brand new to FBSD and I have not played with it yet. But it >can't be that different. First of all, you only create filter rules >for the interface connected to the public internet. Rules on other >internal interfaces is an invalid-configuration of the firewall. >There are no error messages to tell you this. For the max in >protection, you must code stateful rules, IE: the bi-directional >package exchange flow is monitored during the complete session >conversation. I do not know if PF has that ability, like ipfilter >does. Should default to deny all in or out packets that are not >allowed by an stateful session conversation start rule. As far as >devices not being used, the firewall does not care. All it cares >about is that the device is defined in the kernel. New in 5.x the >/dev entry gets automatically created on first time use and is there >from that point on. > >FYI, 5.2.1 is an version of FBSD just for developers who can debug >kernel code. 5.2.1 is very dirty and crashes all the time under >moderate to heavy loads. The official FBSD handbook says use it as >your own risk. You should not be using this for an mission critical >environment. The 4.9 stable release is the version you should be >using, anything else is an big gamble. > >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Tim Pushor >Sent: Sunday, March 07, 2004 1:09 AM >To: questions@freebsd.org >Subject: tun devices and firewall > >Hi all, > >I am building a new firewall based on 5.2.1-RELEASE. I am using the >openbsd port of PF, but I think that my question is fairly generic. > >I have remote systems that sort of vpn through this one using >ppp-over-ssh. This uses tun devices. In the past, when I had >configured >X number of devices in the kernel, those interfaces were always >present >in the system, and think I could firewall based on them. > >Now in FreeBSD 5, the interfaces (or entries in /dev) don't exist >until >they are actually used (I think, I am having some trouble getting >ppp >working, but I think I have another problem). > >I had to add rules to enable traffic over the ngx devices as well >for >some other things I'm running, and I assume I'll have to do the same >for >the tun devices. Does anyone have any advice as to what I can do? pf >doesn't know about the tun devices at boot time, so I can't use them >in >the ruleset. > >Thanks, >Tim > >(PS Please CC: me as I am not subscribed to the list - Thanks) >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?404B6D04.20806>