tun devices and firewall

[Tim Pushor]

JJB,

Wow those are some very powerful opinions that you have and are touting 
as fact.

Regardless, I was not asking about the relative stability of the current 
branch, or advise on coding rules. I simply have a firewall that I have 
a default deny, and I write rules for what I want to allow. I have a 
couple of on again off again PPP over SSH tunnels (that I will get rid 
of, *that* seems like a dirty solution to me) that I am sure are going 
to give me grief.

I also use mpd to allow a couple of pptp connections, and packets coming 
from ng0-4 were failing (because there was no rule allowing them).

I added a rule to allow traffic coming from ng0-4, and would like to do 
something similar for the tun devices. Of course, there are other ways 
to accomplish this, I was just wondering if I could get the interfaces 
created before the firewall started up somehow. I did try to add a 
number to the tun device in the kernel config file, but it didn't like 
it (as I had suspected). Its just that adding a rule based on the tun 
devices is fairly clean, and easy to understand by someone going through 
the rules ..

Tim

JJB wrote:

>PF is brand new to FBSD and I have not played with it yet. But it
>can't be that different.  First of all, you only create filter rules
>for the interface connected to the public internet. Rules on other
>internal interfaces is an invalid-configuration of the firewall.
>There are no error messages to tell you this. For the max in
>protection, you must code stateful rules, IE: the bi-directional
>package exchange flow is monitored during the complete session
>conversation. I do not know if PF has that ability, like ipfilter
>does.  Should default to deny all in or out packets  that are not
>allowed by an stateful session conversation start rule. As far as
>devices not being used, the  firewall does not care. All it cares
>about is that the device is defined in the kernel. New in 5.x the
>/dev entry gets automatically created on first time use and is there
>from that point on.
>
>FYI, 5.2.1 is an version of FBSD just for developers who can debug
>kernel code. 5.2.1 is very dirty and crashes all the time under
>moderate to heavy loads. The official FBSD handbook says use it as
>your own risk. You should not be using this for an mission critical
>environment. The 4.9 stable release is the version you should be
>using, anything else is an big gamble.
>
>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Tim Pushor
>Sent: Sunday, March 07, 2004 1:09 AM
>To: questions at freebsd.org
>Subject: tun devices and firewall
>
>Hi all,
>
>I am building a new firewall based on 5.2.1-RELEASE. I am using the
>openbsd port of PF, but I think that my question is fairly generic.
>
>I have remote systems that sort of vpn through this one using
>ppp-over-ssh. This uses tun devices. In the past, when I had
>configured
>X number of devices in the kernel, those interfaces were always
>present
>in the system, and think I could firewall based on them.
>
>Now in FreeBSD 5, the interfaces (or entries in /dev) don't exist
>until
>they are actually used (I think, I am having some trouble getting
>ppp
>working, but I think I have another problem).
>
>I had to add rules to enable traffic over the ngx devices as well
>for
>some other things I'm running, and I assume I'll have to do the same
>for
>the tun devices. Does anyone have any advice as to what I can do? pf
>doesn't know about the tun devices at boot time, so I can't use them
>in
>the ruleset.
>
>Thanks,
>Tim
>
>(PS Please CC: me as I am not subscribed to the list - Thanks)
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>
>  
>