From owner-freebsd-questions@FreeBSD.ORG Mon Jan 19 16:53:45 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4B40F378 for ; Mon, 19 Jan 2015 16:53:45 +0000 (UTC) Received: from nikki.convalesco.org (convalesco.org [IPv6:2a01:7c8:aab0:264::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A7DDA8BC for ; Mon, 19 Jan 2015 16:53:44 +0000 (UTC) Received: from hilbert.lan (79.103.165.42.dsl.dyn.forthnet.gr [79.103.165.42]); by nikki.convalesco.org (OpenSMTPD) with ESMTPSA id 396aad01; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO; for ; Mon, 19 Jan 2015 17:53:41 +0100 (CET) From: Panagiotis Atmatzidis X-Pgp-Agent: GPGMail 2.5b4 Content-Type: multipart/signed; boundary="Apple-Mail=_4942EA50-CF56-4EEF-A377-392340A15DE8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Subject: A way to load PF rules at startup using OpenVPN Date: Mon, 19 Jan 2015 18:53:40 +0200 Message-Id: To: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) X-Mailer: Apple Mail (2.1993) X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2015 16:53:45 -0000 --Apple-Mail=_4942EA50-CF56-4EEF-A377-392340A15DE8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello, I=E2=80=99m trying to load my PF at system startup but having issues = after installing an OpenVPN server. The first approach I tried was via = rc.conf, here is my configuration: $ grep pf /etc/rc.conf pf_enable=3D"YES" pf_rules=3D"/etc/pf.conf" pflog_enable=3D"YES" pfstatd_enable=3D"YES" pflog_logfile=3D"/var/log/pflog=E2=80=9D Theoretically this should be enough. However PF doesn=E2=80=99t load = anything at boot. I have to do it manually. I added the following lines = at =E2=80=98/etc/rc.local=E2=80=99 and worked for a couple of months: $ grep pf /etc/rc.local /sbin/pfctl -f /etc/pf.conf Not this approach won=E2=80=99t work either. This is a FreeBSD based = VPS. Every time I reboot the VPS I have to manually login and run = =E2=80=98pfctl -f /etc/pf.conf=E2=80=99 to load the ruleset. I think that this has something to do with =E2=80=98tun0=E2=80=99 = interface which is the last thing that is loaded at boot. Probably PF = runs before this, sees rules that it doesn=E2=80=99t understand (related = to tun0) and comes up short, then tun0 is loaded but it=E2=80=99s too = late. Any ideas on how to solve this are welcomed! Thanks Panagiotis (atmosx) Atmatzidis email: atma@convalesco.org URL: http://www.convalesco.org GnuPG ID: 0x1A7BFEC5 gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5 "As you set out for Ithaca, hope the voyage is a long one, full of = adventure, full of discovery [...]" - C. P. Cavafy --Apple-Mail=_4942EA50-CF56-4EEF-A377-392340A15DE8 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: Public Key Encryption iQIcBAEBAgAGBQJUvTaUAAoJEPy01a8ae/7F4/IQAKtd0p8Iw5L2Cgrrth2pESnG ylaxQfZPgmfQdXNKt/4nC/Pale//Gwb3pDJAVSAgGtkJPt5FjkisqST+1VYRR6PI y5hSEYBj+Ulqv0Ecb6GZI3NrBL2553npe15wPXkJHRUQdBWaiXiG8GJnFD0Aj0AM P/bnzcUdLzOkAYC7jklIElWJCbrLHIfOFRW33otehiLhn0s119uoelcQaCnPRr/o 1t1rs0poTI/FznzOvtjKVZ+B/1HB5BsOxV6lU0nBlj2cn/v1Nq3si52BDXBGx52H AHfupIdmIaLdLfrK1gSfudMPbKpFMapXRE8ooLktz+nbceypfd9/qTg53EiQZclu QpDAD6u9KnUNyqCZKhp7YWR/dAoctOy+7Vr0OBghwbnKdY4qNF7QJf8JPvNvkngS Hz06xzwx35nREd0+ZpYohcdaC9TV1beLS4Vmb+VlYmacK9LwhZTXCAAdTMr1JUCn M1WiJ4xWjRSEekHAHrHPj7888OdNDZUwOnht0nWP3fhFnUBZu/HXc1XfMW679fDZ oiTrYcpW7dyuSOKe7r+vfJZBPpFMrMXjDo/4UnyFusKGIoq33qwx9PGM2M5fKNgR BCvXylWmUwUZfQv5pz/fcW9Gmw/oh5JpYt8jlDbH3o2hexbJHcdQosMhMT4ibqmi nVP2l3vNf9YQVV8KrGJO =dfPh -----END PGP SIGNATURE----- --Apple-Mail=_4942EA50-CF56-4EEF-A377-392340A15DE8--