From owner-freebsd-stable Thu Jun 20 5:15:47 2002 Delivered-To: freebsd-stable@freebsd.org Received: from smtp.netcologne.de (smtp.netcologne.de [194.8.194.112]) by hub.freebsd.org (Postfix) with ESMTP id B9FE937B404 for ; Thu, 20 Jun 2002 05:15:43 -0700 (PDT) Received: from xdsl-195-14-205-133.netcologne.de (xdsl-195-14-205-133.netcologne.de [195.14.205.133]) by smtp.netcologne.de (8.12.2/8.12.2) with ESMTP id g5KCFcWI000329 for ; Thu, 20 Jun 2002 14:15:40 +0200 (MEST) Received: (qmail 2316 invoked by uid 1001); 20 Jun 2002 12:14:42 -0000 Date: Thu, 20 Jun 2002 14:14:42 +0200 From: Thomas Seck To: freebsd-stable@FreeBSD.ORG Subject: Re: IPFW rules on tunX devices Message-ID: <20020620121420.GA1690@laurel.seck.home> Mail-Followup-To: freebsd-stable@FreeBSD.ORG References: <20020619165721.B438@gsmx07.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020619165721.B438@gsmx07.alcatel.com.au> User-Agent: Mutt/1.3.99i Organization: private site in Germany X-PGP-KeyID: DF46EE05 X-PGP-Fingerprint: A38F AE66 6B11 6EB9 5D1A B67D 2444 2FE1 DF46 EE05 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG * Peter Jeremy (peter.jeremy@alcatel.com.au): > I have a situation where I want to have some ipfw rules permanently > associated with tun0. In 4.5-RELEASE, I just included lines like the > following in the rules file specified as firewall_type in rc.conf: > add 11010 allow tcp from 10.2.3.4 to 10.2.3.5 keep-state in recv tun0 setup > > In 4.6-RELEASE, the tun devices are created on demand and so tun0 > doesn't exist don't exist when the firewall rules are added. Other > than starting ppp(8), how do I create tun0? I thought > ifconfig tun0 create > would work, but that returns: > ifconfig: SIOCIFCREATE: Invalid argument > > Any suggestions? From my understanding of ipfw, the interfaces you create rules for do not necessarily need to exist at creation time for ipfw to apply them later. I use ipfw for trivial firewalling [0] on tun* devices since 4.0 w/o problems. Just ignore "ipfw add"'s warning message about the nonexisting interface. [0] Rules like "reset tcp from any to any in recv tun0 setup" and the like. Here these rules are created using a fitting /etc/rc.firewall before ppp(8) is started. --Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message