From owner-freebsd-questions@FreeBSD.ORG Tue Jan 20 14:14:30 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3C825E69 for ; Tue, 20 Jan 2015 14:14:30 +0000 (UTC) Received: from mail-yk0-x22e.google.com (mail-yk0-x22e.google.com [IPv6:2607:f8b0:4002:c07::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E43955E2 for ; Tue, 20 Jan 2015 14:14:29 +0000 (UTC) Received: by mail-yk0-f174.google.com with SMTP id 131so4637231ykp.5 for ; Tue, 20 Jan 2015 06:14:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nPHQnSbdkRirbKqhTzN30L1rBTEmGJzD+gmjgPF4COc=; b=ADnZPWGcUuxdLn2w7ynmzEsX/lXshapG+8Po4O3ZMBx2Vd0NMDcHNDGCFvqlAopYY6 d4pPq5AGEjHFcGOAPmrFCWUDYH+6auXw9jk24yIBKA+UkjQo1TNPGI/3aWPjoU25aebQ 9lPIeiYfO8QZD9GLff2iOBIsx6d6OYtlQryZUqKCXM0HGtZptKgwoaoF5FkGa4lbn41o DJKUmTXBMybmCkei3TXWK6qhZVCp1vYGGKIc+GHeC5C7PNMRcjacvhkmy1jzvYPqbA8v p3TiNJ2RdpJNZWFWTJeRxvbm4RNb3aKVE8GbwagnsgFB7LgIM/etCC7z6VFnp0UCLEUu J78Q== MIME-Version: 1.0 X-Received: by 10.170.83.4 with SMTP id z4mr24247486ykz.103.1421763269112; Tue, 20 Jan 2015 06:14:29 -0800 (PST) Received: by 10.170.188.144 with HTTP; Tue, 20 Jan 2015 06:14:29 -0800 (PST) In-Reply-To: <44269B05-51E7-4279-B828-1990DC73251F@convalesco.org> References: <20150120101144.735f0b67@helium> <20150120140631.377bee87@helium> <44269B05-51E7-4279-B828-1990DC73251F@convalesco.org> Date: Tue, 20 Jan 2015 14:14:29 +0000 Message-ID: Subject: Re: A way to load PF rules at startup using OpenVPN From: krad To: Panagiotis Atmatzidis Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Maciej Suszko , FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2015 14:14:30 -0000 cloned_interfaces should take care of that, as i have tun0 referenced in my pf.conf and it works fine. Check its defined correctly with: # sysrc cloned_interfaces cloned_interfaces: gif0 tun0 bridge0 another way of doing it would be to comment out the last line in your pf.conf and add an anchor at the end eg anchor "vpn/*" then do something like echo "pass in quick on vtnet0 proto { tcp udp } from tun0 to vtnet0 port 8123" | pfctl -a vpn -f - after openvpn has started up. The problem you have is someone stops openvpn from running at startup suddenly you have no firewall. Its also starting up much later than it should so you are exposing yourself for a small window of time. On 20 January 2015 at 13:39, Panagiotis Atmatzidis wrote: > Hello, > > > On 20 Jan 2015, at 15:06, Maciej Suszko wrote: > > > > On Tue, 20 Jan 2015 14:18:28 +0200 > > Panagiotis Atmatzidis wrote: > > > > [=E2=80=A6] > > > > Post your pf.conf, pfctl -nvf /etc/pf.conf with tun0 present and > > absent, look at dmesg -a, messages etc. > > Using =E2=80=98pfctl -nvf /etc/pf.conf=E2=80=99 without tun0 comes up wit= h the following > error: > > No IP address found for tun0 > /etc/pf.conf:86: could not parse host specification > > Line is 86 is: > https://gist.github.com/atmosx/2dcff31a0d8868d4b1c7#file-pf-conf-L83 < > https://gist.github.com/atmosx/2dcff31a0d8868d4b1c7#file-pf-conf-L86> > > But how do I bypass this using pf.conf alone? The .conf needs to become > =E2=80=98dynamic=E2=80=99 somehow. > > > > > Just my 2 cents... > > -- > > regards, Maciej Suszko. > > > > Panagiotis (atmosx) Atmatzidis > > email: atma@convalesco.org > URL: http://www.convalesco.org > GnuPG ID: 0x1A7BFEC5 > gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5 > > "As you set out for Ithaca, hope the voyage is a long one, full of > adventure, full of discovery [...]" - C. P. Cavafy > > > > >