Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Jan 2015 14:18:28 +0200
From:      Panagiotis Atmatzidis <atma@convalesco.org>
To:        FreeBSD Questions <freebsd-questions@freebsd.org>
Cc:        Maciej Suszko <maciej@suszko.eu>
Subject:   Re: A way to load PF rules at startup using OpenVPN
Message-ID:  <F3202279-808B-4CBC-9F67-4CB89E9A59F9@convalesco.org>
In-Reply-To: <CALfReyfuR-%2BOZ4H1RUuwMcvZEgcciwnisCC31vm4%2BNDaXFVu6g@mail.gmail.com>
References:  <F84CF488-7CF6-4580-B169-AA441166E2CB@convalesco.org> <20150120101144.735f0b67@helium> <CALfReyfuR-%2BOZ4H1RUuwMcvZEgcciwnisCC31vm4%2BNDaXFVu6g@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--Apple-Mail=_B54CF411-D952-47FF-B9B4-C2322620D6F3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hello,


Thanks for the replies

> On 20 Jan 2015, at 11:16, krad <kraduk@gmail.com =
<mailto:kraduk@gmail.com>> wrote:
>=20
> put this in your rc conf it may help
>=20
> cloned_interfaces=3D=E2=80=9Ctun0"

That didn=E2=80=99t work either. Although the interface was created, =
still =E2=80=98pf=E2=80=99 was not able to start when I just created =
tun0 without starting OpenVPN.
I=E2=80=99m not sure if this problem can be reproduced elsewhere. I =
never had such issues with Linux iptables for example and googling =
around for a 2 days I didn=E2=80=99t find anyone else having the same =
issue on
any system, which is weird, because I=E2=80=99m sure that there are many =
*BSD + OpenVPN deployments.

>=20
> that will create the interface early on way before openvpn is spawned. =
You
> may need to force openvpn to use tun0 as it might try to create tun1
>=20
> On 20 January 2015 at 09:11, Maciej Suszko <maciej@suszko.eu =
<mailto:maciej@suszko.eu>> wrote:
>=20
>> On Mon, 19 Jan 2015 18:53:40 +0200
>> Panagiotis Atmatzidis <atma@convalesco.org =
<mailto:atma@convalesco.org>> wrote:
>>=20
>> [...]
>>=20
>>> I think that this has something to do with =E2=80=98tun0=E2=80=99 =
interface which is
>>> the last thing that is loaded at boot. Probably PF runs before this,
>>> sees rules that it doesn=E2=80=99t understand (related to tun0) and =
comes up
>>> short, then tun0 is loaded but it=E2=80=99s too late.
>>=20
>> That's simple to test, just destroy your tun device and check the
>> output of:
>>=20
>> # pfctl -nvf /etc/pf.conf
>> --
>> regards, Maciej Suszko.
>>=20
> _______________________________________________
> freebsd-questions@freebsd.org <mailto:freebsd-questions@freebsd.org> =
mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions =
<http://lists.freebsd.org/mailman/listinfo/freebsd-questions>;
> To unsubscribe, send any mail to =
"freebsd-questions-unsubscribe@freebsd.org =
<mailto:freebsd-questions-unsubscribe@freebsd.org>"

I resolved the issue by creating a devd conf file:

$ cat /etc/devd/tun.conf
# Run PF when tun0 is up
notify 0 {
	match "system"		"IFNET";
	match "subsystem"	"tun0";
	match "type"		"LINK_UP";
	action "/etc/rc.d/pf start";
};

This file makes sure =E2=80=98pf=E2=80=99 is executed right after =
=E2=80=98tun0=E2=80=99 interface is UP, which happens at boot anyway =
since openvpn is started by =E2=80=98rc.conf=E2=80=99. You need have =
=E2=80=98pf=E2=80=99 enabled in =E2=80=98rc.conf=E2=80=99 of course.

It works fine now on every reboot :-)

Thanks guys!

ps. A nice fella on #freeBSD@Freenode w/ nickname =E2=80=98frogs=E2=80=99 =
helped me with devd debugging.

Panagiotis (atmosx) Atmatzidis

email:	atma@convalesco.org <mailto:atma@convalesco.org>
URL:	http://www.convalesco.org <http://www.convalesco.org/>;
GnuPG ID: 0x1A7BFEC5
gpg --keyserver pgp.mit.edu <http://pgp.mit.edu/>; --recv-keys 1A7BFEC5

"As you set out for Ithaca, hope the voyage is a long one, full of =
adventure, full of discovery [...]" - C. P. Cavafy

--Apple-Mail=_B54CF411-D952-47FF-B9B4-C2322620D6F3
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: Public Key Encryption

iQIcBAEBAgAGBQJUvkeUAAoJEPy01a8ae/7F/e8P/im99hfh5uVrgYCzKcFQ10OG
uUkq6Lb86KAf1J5cTp7jJ6zSZRHj7sK4ILVEtmrCwLkJGNO9/9jt9UizNbZprF32
KbNbrhUoG1O/3KUNhq/nn1xs4d6gcG+K+BRU2WDu7rxMZWkBwFB0Z0SCrbG2N5D1
Dd6MbKVQCssqp4CcWpzK2/5y7ifDeQZhKkTkjK8sJfnkBV1dWXnhkGRCKxMmkNwS
pTxWavZAdyPbDQZmI1TfuNtZR2ge92R8PfhpPUiCQx6zhHlSUoEr1pOwdVSh2myb
pXdP3p3xB1ZvHFNEVfPRGVPXRn0ScP/mLCEPIWaBGp5gxqCOk/QN+bGTHwG/oxw/
ccWP7ghuDcTu04zBD1uvXyofM/5M2EtUSHzVTgcs72wHSga7nnrdzJO1iukkSq92
MwfbbRSs727TxwepjrjvqezOh5XzvxpgPYIvS8AB4tZdIjvES6ShY4UJfl7hBN9M
2h49tM9ZSQpBgPbx0MBbDBa56orxK65KTB4aNHWQAVDKmxpPJ39/KsqyWsXiFSbM
FF/CHnY8VGIiufLDdvrr4Gnxez0lYWvvoHxx7ZqO36NclD1rP59C4VAzMB70dcK0
mqt+qDVmZEfMucwjujBuyXtNEeq9uL0O6n+yMTeyWsRCM1Os2P/kB7yT2v1iIoTz
7O2SugLnn7qYH2sWbqVm
=rPVf
-----END PGP SIGNATURE-----

--Apple-Mail=_B54CF411-D952-47FF-B9B4-C2322620D6F3--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F3202279-808B-4CBC-9F67-4CB89E9A59F9>