Date: Thu, 27 Dec 2018 12:09:39 +0100 From: Willem Jan Withagen <wjw@digiware.nl> To: Eugene Grosbein <eugen@grosbein.net>, Craig Leres <leres@freebsd.org>, Dave Cottlehuber <dch@skunkwerks.at>, freebsd-hackers@freebsd.org Subject: Re: rcorder for vpn-like tunnels during early rc.d startup Message-ID: <f2d7e351-f895-5f9e-d4fd-d6db34ae5ba4@digiware.nl> In-Reply-To: <8a8c6e8e-4781-9e03-36cf-b7974cb719bc@grosbein.net> References: <1545487265.3497867.1616158504.69E513B4@webmail.messagingengine.com> <f9a31f17-0e5f-265a-60ac-010e0c16bc22@grosbein.net> <b86faac8-9428-7935-6444-a9a1ac032250@freebsd.org> <8a8c6e8e-4781-9e03-36cf-b7974cb719bc@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22/12/2018 19:28, Eugene Grosbein wrote: > 23.12.2018 1:22, Craig Leres wrote: > >> On 12/22/18 7:18 AM, Eugene Grosbein wrote: >>> You should not try to make it start before packet filters, that is wrong >> >> How should I handle the case where I start several openvpn tunnels and have references to them in my pf.conf? My solution was to write a rc.d script that gives a configured list of tun devices up to a minute to come up and then do a "service pf reload". > > And this is right thing to do :-) > I mean, if your filtering rules depend on ever-changing list of interfaces, > just reconfigure the filter when the list changes > or better teach the filter to catch up with changes automatically, if possible. Might want to use the ifup/ifdown scripts to add the specifics for the VPN that just came up. Tricky part is how to get things in the tables at the right place. So with IPFW I use specific line numbers reserved to insert certain rules. (using counter rules to split the fw code into blocks) But it sort of feels like going back in the 80's basic programming. --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f2d7e351-f895-5f9e-d4fd-d6db34ae5ba4>