From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 20 13:54:06 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B41F05A7
 for <freebsd-questions@freebsd.org>; Tue, 20 Jan 2015 13:54:06 +0000 (UTC)
Received: from nikki.convalesco.org (convalesco.org
 [IPv6:2a01:7c8:aab0:264::100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 203E515B
 for <freebsd-questions@freebsd.org>; Tue, 20 Jan 2015 13:54:05 +0000 (UTC)
Received: from hilbert.lan (130.43.124.168.dsl.dyn.forthnet.gr
 [130.43.124.168]); 
 by nikki.convalesco.org (OpenSMTPD) with ESMTPSA id 9bebfdda;
 TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO;
 Tue, 20 Jan 2015 14:54:02 +0100 (CET)
Subject: Re: A way to load PF rules at startup using OpenVPN [SOLVED]
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
Content-Type: multipart/signed;
 boundary="Apple-Mail=_82304AC1-2751-48EC-B623-CE3AECBDD82C";
 protocol="application/pgp-signature"; micalg=pgp-sha1
X-Pgp-Agent: GPGMail 2.5b4
From: Panagiotis Atmatzidis <atma@convalesco.org>
In-Reply-To: <20150120140631.377bee87@helium>
Date: Tue, 20 Jan 2015 15:53:57 +0200
Message-Id: <74BA96D6-EB31-4534-9428-C646EF901E5B@convalesco.org>
References: <F84CF488-7CF6-4580-B169-AA441166E2CB@convalesco.org>
 <20150120101144.735f0b67@helium>
 <CALfReyfuR-+OZ4H1RUuwMcvZEgcciwnisCC31vm4+NDaXFVu6g@mail.gmail.com>
 <F3202279-808B-4CBC-9F67-4CB89E9A59F9@convalesco.org>
 <20150120140631.377bee87@helium>
To: Maciej Suszko <maciej@suszko.eu>
X-Mailer: Apple Mail (2.1993)
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2015 13:54:06 -0000


--Apple-Mail=_82304AC1-2751-48EC-B623-CE3AECBDD82C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On 20 Jan 2015, at 15:06, Maciej Suszko <maciej@suszko.eu> wrote:
>=20
> On Tue, 20 Jan 2015 14:18:28 +0200
> Panagiotis Atmatzidis <atma@convalesco.org> wrote:
>=20
> [...]
>=20
>> I resolved the issue by creating a devd conf file:
>>=20
>> $ cat /etc/devd/tun.conf
>> # Run PF when tun0 is up
>> notify 0 {
>> 	match "system"		"IFNET";
>> 	match "subsystem"	"tun0";
>> 	match "type"		"LINK_UP";
>> 	action "/etc/rc.d/pf start";
>> };
>>=20
>> This file makes sure =E2=80=98pf=E2=80=99 is executed right after =
=E2=80=98tun0=E2=80=99 interface is UP, which happens at boot anyway =
since openvpn is started by =E2=80=98rc.conf=E2=80=99. You need have =
=E2=80=98pf=E2=80=99 enabled in =E2=80=98rc.conf=E2=80=99 of course.
>>=20
>> It works fine now on every reboot :-)
>=20
> It just looks like solution taken directly from Linux world... If we
> don't know why it's not working, let's put rc script somewhere -
> problem solved!
>=20
> In my opinion, properly created pf.conf have nothing to do with =
openvpn
> - neither running nor stopped.
>=20
> Post your pf.conf, pfctl -nvf /etc/pf.conf with tun0 present and
> absent, look at dmesg -a, messages etc.
>=20
> Just my 2 cents...
> --
> regards, Maciej Suszko.

Actually never-mind, that rule created the problem and it=E2=80=99s not =
needed at all. VPN users have access to all ports, so I=E2=80=99m all =
set now.

Thanks Maciej and Krad :-)


Panagiotis (atmosx) Atmatzidis

email:	atma@convalesco.org
URL:	http://www.convalesco.org
GnuPG ID: 0x1A7BFEC5
gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5

"As you set out for Ithaca, hope the voyage is a long one, full of =
adventure, full of discovery [...]" - C. P. Cavafy





--Apple-Mail=_82304AC1-2751-48EC-B623-CE3AECBDD82C
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: Public Key Encryption

iQIcBAEBAgAGBQJUvl35AAoJEPy01a8ae/7F6FIP/jsgmTI64WndynOxfdx2OogT
jQqETHib4Gtb9D+mZ/FCqdYEbctzxVxnpbNZk7Tc7eaNfU4jBaWPBoEO9nzIyE7+
SLvTpiNxR0j8zRbDfRZ7LsHbxd75aVgbFUSEaHzpDcHqayXbFs8HUYF9mMow0drJ
dH+tBUhH20dPmY6HFHaK63akHvRDgra7B1/yzLI5rob3Z1St8avwlcScUmbXZCNz
XhfUqi0n86+n5ZJFDOdIhidoDN0tCcv1UWjH+mzKMTyC1eVXyYWOKqroV5zPzoif
qDOBgVLqsrFS78TJkcsSMPlpWYnYSGT8E12DxqSKgY5U49NIS0OCUP0EEYIk4mjA
v7JMT3w0k7N/sv/CAmAe2CeHs+L9SS3LBTsa40LSfr2//5BUcwdg/Ifc7R82cB01
456338KqkY0mixxVoW7Yf+X/UGNy3BehbDXeRCGgiQMPGBsMYe8Qq1/IbMJKb0+k
H7WA7HtlgCdFQOpySAyvM01jMKlf5j7h7bO6JBJaPBwUIH50l6+DFfEech1GPHEq
UmxffMZIlWE1aHpEgh6ZuWD+w2jccbhggSnnhN9v9JP+yI87Jt4S5g3zjx5KgrWD
HYLQd6vECWVU8sB7qPsrvxplQceH38w7uOz2Vkb2JM7dKEhubWx2EWxg0ZT96/sW
RcGNSycwH/Ecz3GNg9bf
=IOXf
-----END PGP SIGNATURE-----

--Apple-Mail=_82304AC1-2751-48EC-B623-CE3AECBDD82C--