Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Jan 2015 15:53:57 +0200
From:      Panagiotis Atmatzidis <atma@convalesco.org>
To:        Maciej Suszko <maciej@suszko.eu>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: A way to load PF rules at startup using OpenVPN [SOLVED]
Message-ID:  <74BA96D6-EB31-4534-9428-C646EF901E5B@convalesco.org>
In-Reply-To: <20150120140631.377bee87@helium>
References:  <F84CF488-7CF6-4580-B169-AA441166E2CB@convalesco.org> <20150120101144.735f0b67@helium> <CALfReyfuR-+OZ4H1RUuwMcvZEgcciwnisCC31vm4+NDaXFVu6g@mail.gmail.com> <F3202279-808B-4CBC-9F67-4CB89E9A59F9@convalesco.org> <20150120140631.377bee87@helium>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--Apple-Mail=_82304AC1-2751-48EC-B623-CE3AECBDD82C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On 20 Jan 2015, at 15:06, Maciej Suszko <maciej@suszko.eu> wrote:
>=20
> On Tue, 20 Jan 2015 14:18:28 +0200
> Panagiotis Atmatzidis <atma@convalesco.org> wrote:
>=20
> [...]
>=20
>> I resolved the issue by creating a devd conf file:
>>=20
>> $ cat /etc/devd/tun.conf
>> # Run PF when tun0 is up
>> notify 0 {
>> 	match "system"		"IFNET";
>> 	match "subsystem"	"tun0";
>> 	match "type"		"LINK_UP";
>> 	action "/etc/rc.d/pf start";
>> };
>>=20
>> This file makes sure =E2=80=98pf=E2=80=99 is executed right after =
=E2=80=98tun0=E2=80=99 interface is UP, which happens at boot anyway =
since openvpn is started by =E2=80=98rc.conf=E2=80=99. You need have =
=E2=80=98pf=E2=80=99 enabled in =E2=80=98rc.conf=E2=80=99 of course.
>>=20
>> It works fine now on every reboot :-)
>=20
> It just looks like solution taken directly from Linux world... If we
> don't know why it's not working, let's put rc script somewhere -
> problem solved!
>=20
> In my opinion, properly created pf.conf have nothing to do with =
openvpn
> - neither running nor stopped.
>=20
> Post your pf.conf, pfctl -nvf /etc/pf.conf with tun0 present and
> absent, look at dmesg -a, messages etc.
>=20
> Just my 2 cents...
> --
> regards, Maciej Suszko.

Actually never-mind, that rule created the problem and it=E2=80=99s not =
needed at all. VPN users have access to all ports, so I=E2=80=99m all =
set now.

Thanks Maciej and Krad :-)


Panagiotis (atmosx) Atmatzidis

email:	atma@convalesco.org
URL:	http://www.convalesco.org
GnuPG ID: 0x1A7BFEC5
gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5

"As you set out for Ithaca, hope the voyage is a long one, full of =
adventure, full of discovery [...]" - C. P. Cavafy





--Apple-Mail=_82304AC1-2751-48EC-B623-CE3AECBDD82C
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: Public Key Encryption

iQIcBAEBAgAGBQJUvl35AAoJEPy01a8ae/7F6FIP/jsgmTI64WndynOxfdx2OogT
jQqETHib4Gtb9D+mZ/FCqdYEbctzxVxnpbNZk7Tc7eaNfU4jBaWPBoEO9nzIyE7+
SLvTpiNxR0j8zRbDfRZ7LsHbxd75aVgbFUSEaHzpDcHqayXbFs8HUYF9mMow0drJ
dH+tBUhH20dPmY6HFHaK63akHvRDgra7B1/yzLI5rob3Z1St8avwlcScUmbXZCNz
XhfUqi0n86+n5ZJFDOdIhidoDN0tCcv1UWjH+mzKMTyC1eVXyYWOKqroV5zPzoif
qDOBgVLqsrFS78TJkcsSMPlpWYnYSGT8E12DxqSKgY5U49NIS0OCUP0EEYIk4mjA
v7JMT3w0k7N/sv/CAmAe2CeHs+L9SS3LBTsa40LSfr2//5BUcwdg/Ifc7R82cB01
456338KqkY0mixxVoW7Yf+X/UGNy3BehbDXeRCGgiQMPGBsMYe8Qq1/IbMJKb0+k
H7WA7HtlgCdFQOpySAyvM01jMKlf5j7h7bO6JBJaPBwUIH50l6+DFfEech1GPHEq
UmxffMZIlWE1aHpEgh6ZuWD+w2jccbhggSnnhN9v9JP+yI87Jt4S5g3zjx5KgrWD
HYLQd6vECWVU8sB7qPsrvxplQceH38w7uOz2Vkb2JM7dKEhubWx2EWxg0ZT96/sW
RcGNSycwH/Ecz3GNg9bf
=IOXf
-----END PGP SIGNATURE-----

--Apple-Mail=_82304AC1-2751-48EC-B623-CE3AECBDD82C--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?74BA96D6-EB31-4534-9428-C646EF901E5B>