From owner-freebsd-questions@FreeBSD.ORG  Sat Mar  6 22:09:12 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7B3DE16A4CE
	for <questions@freebsd.org>; Sat,  6 Mar 2004 22:09:12 -0800 (PST)
Received: from hercules.crossthread.com (hercules.crossthread.com
	[64.56.149.8])	by mx1.FreeBSD.org (Postfix) with ESMTP id 0E47E43D3F
	for <questions@freebsd.org>; Sat,  6 Mar 2004 22:09:08 -0800 (PST)
	(envelope-from timp@crossthread.com)
Received: from crossthread.com (kglazn@dedalus.crossthread.com [192.168.1.2])
	(authenticated)
	by hercules.crossthread.com (8.11.3/8.11.3) with ESMTP id i2769Jh57086
	for <questions@freebsd.org>; Sat, 6 Mar 2004 23:09:19 -0700 (MST)
Message-ID: <404ABC75.5010903@crossthread.com>
Date: Sat, 06 Mar 2004 23:08:53 -0700
From: Tim Pushor <timp@crossthread.com>
User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: questions@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: tun devices and firewall
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2004 06:09:12 -0000

Hi all,

I am building a new firewall based on 5.2.1-RELEASE. I am using the 
openbsd port of PF, but I think that my question is fairly generic.

I have remote systems that sort of vpn through this one using 
ppp-over-ssh. This uses tun devices. In the past, when I had configured 
X number of devices in the kernel, those interfaces were always present 
in the system, and think I could firewall based on them.

Now in FreeBSD 5, the interfaces (or entries in /dev) don't exist until 
they are actually used (I think, I am having some trouble getting ppp 
working, but I think I have another problem).

I had to add rules to enable traffic over the ngx devices as well for 
some other things I'm running, and I assume I'll have to do the same for 
the tun devices. Does anyone have any advice as to what I can do? pf 
doesn't know about the tun devices at boot time, so I can't use them in 
the ruleset.

Thanks,
Tim

(PS Please CC: me as I am not subscribed to the list - Thanks)