Date: Sat, 11 Oct 2008 00:08:40 +0100 From: Bruce Cran <bruce@cran.org.uk> To: remko@FreeBSD.org Cc: josh.carroll@gmail.com, freebsd-bugs@FreeBSD.org Subject: Re: conf/128005: /etc/rc.d/pf should REQUIRE ppp Message-ID: <48EFE078.5010907@cran.org.uk> In-Reply-To: <200810101935.m9AJZbuU094978@freefall.freebsd.org> References: <200810101935.m9AJZbuU094978@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
remko@FreeBSD.org wrote: > Synopsis: /etc/rc.d/pf should REQUIRE ppp > > State-Changed-From-To: open->closed > State-Changed-By: remko > State-Changed-When: Fri Oct 10 19:35:37 UTC 2008 > State-Changed-Why: > This had been discussed before and will not be incorporated. You can do > that manually if needed and you can use cloned_interfaces to setup tun0 > in advance. Reason for this being loaded as soon as possible, is that > the network stack is protected, if you do it differently there is a > window of opportunity to break in. So you can do that locally if needed, > but it will not get incorporated into the tree. This is a summary of > what had been discussed before. Thanks for taking the time to submit > this and for using FreeBSD! > For pf another solution is to use '(tun0)' instead of just the plain 'tun0' when specifying the source or destination interface; that causes the parsing to be done at runtime and allows the ruleset to be loaded when tun0 doesn't have an IP address. e.g use "pass out on tun0 proto tcp from (tun0) to any" -- Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48EFE078.5010907>