From owner-freebsd-questions@FreeBSD.ORG Tue Jan 20 13:06:42 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4F79AC35 for ; Tue, 20 Jan 2015 13:06:42 +0000 (UTC) Received: from archeo.suszko.eu (archeo.unixguru.pl [37.187.116.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0B5B9BFF for ; Tue, 20 Jan 2015 13:06:40 +0000 (UTC) Received: from archeo (localhost [127.0.0.1]) by archeo.suszko.eu (Postfix) with ESMTP id 09A221AF166; Tue, 20 Jan 2015 14:06:35 +0100 (CET) X-Virus-Scanned: amavisd-new at archeo.local Received: from archeo.suszko.eu ([127.0.0.1]) by archeo (archeo.local [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id L9Qofbrh0W9d; Tue, 20 Jan 2015 14:06:34 +0100 (CET) Received: from helium (gate.grtech.pl [195.8.99.234]) by archeo.suszko.eu (Postfix) with ESMTPSA id 616FA1AF10F; Tue, 20 Jan 2015 14:06:34 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=suszko.eu; s=dkim; t=1421759194; bh=lqtl9WLu7kgoofA6QyoC5fZoZscQck+zfAnDoB/W0yw=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=cfqtmXKgqUWikq0RPUp9GBtfUxM8+pahXxEb3o6V9ijlJUxCb+65zMOsYyu9LP+Ek pxDvJiG0HOwhKvU1jZ/fjxLp+oBuh/2RjHA7FqQp/nxAYaxKgadrR8cG2jwR7+a2bf 0d/ddBX2WeiM05QPfLl9ttUSSM2gVvD45jt91ofE= Date: Tue, 20 Jan 2015 14:06:31 +0100 From: Maciej Suszko To: Panagiotis Atmatzidis Subject: Re: A way to load PF rules at startup using OpenVPN Message-ID: <20150120140631.377bee87@helium> In-Reply-To: References: <20150120101144.735f0b67@helium> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; amd64-portbld-freebsd10.1) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/SRhyV5=PZ/wnOuSzNPPNfzV"; protocol="application/pgp-signature" Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2015 13:06:42 -0000 --Sig_/SRhyV5=PZ/wnOuSzNPPNfzV Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, 20 Jan 2015 14:18:28 +0200 Panagiotis Atmatzidis wrote: [...] > I resolved the issue by creating a devd conf file: >=20 > $ cat /etc/devd/tun.conf > # Run PF when tun0 is up > notify 0 { > match "system" "IFNET"; > match "subsystem" "tun0"; > match "type" "LINK_UP"; > action "/etc/rc.d/pf start"; > }; >=20 > This file makes sure =E2=80=98pf=E2=80=99 is executed right after =E2=80= =98tun0=E2=80=99 interface is UP, which happens at boot anyway since openvp= n is started by =E2=80=98rc.conf=E2=80=99. You need have =E2=80=98pf=E2=80= =99 enabled in =E2=80=98rc.conf=E2=80=99 of course. >=20 > It works fine now on every reboot :-) It just looks like solution taken directly from Linux world... If we don't know why it's not working, let's put rc script somewhere - problem solved! In my opinion, properly created pf.conf have nothing to do with openvpn - neither running nor stopped. Post your pf.conf, pfctl -nvf /etc/pf.conf with tun0 present and absent, look at dmesg -a, messages etc. Just my 2 cents... --=20 regards, Maciej Suszko. --Sig_/SRhyV5=PZ/wnOuSzNPPNfzV Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlS+UtcACgkQCikUk0l7iGo30wCeP51FlyPzPgo9tBfLatzoKiEM 4tsAnjxGwSSCB2YB21NTIw2RV3PDBwWM =dzNj -----END PGP SIGNATURE----- --Sig_/SRhyV5=PZ/wnOuSzNPPNfzV--