Date: Sat, 22 Dec 2018 22:18:42 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Dave Cottlehuber <dch@skunkwerks.at>, freebsd-hackers@freebsd.org Subject: Re: rcorder for vpn-like tunnels during early rc.d startup Message-ID: <f9a31f17-0e5f-265a-60ac-010e0c16bc22@grosbein.net> In-Reply-To: <1545487265.3497867.1616158504.69E513B4@webmail.messagingengine.com> References: <1545487265.3497867.1616158504.69E513B4@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
22.12.2018 21:01, Dave Cottlehuber wrote: > I have a port[1] net/zerotier that provides a p2p layer2+ vpn via tap(4) interfaces. > Ideally zerotier/zt would be available early enough during boot that later daemons > such as ssh and other network services would be able to bind to those interfaces. You should not try to make it start before packet filters, that is wrong and may sometimes even partially defeat security goals of VPN networking. The whole system of FreeBSD rc.d system script dependencies assumes that packet filers initialize before network is fully operational. Take a look at base system's /etc/rc.d/ppp for an example of tunneling daemon that starts as early as possible. Another example is /etc/rc.d/local_unbound that needs fully operating networking but starts early enough to provide DNS services for ssh and others: in FreeBSD 12.0+ it REQUIREs "defaultroute" and "netwait" features.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f9a31f17-0e5f-265a-60ac-010e0c16bc22>