conf/128005: /etc/rc.d/pf should REQUIRE ppp

Bruce Cran bruce at cran.org.uk
Fri Oct 10 23:09:16 UTC 2008


remko at FreeBSD.org wrote:
> Synopsis: /etc/rc.d/pf should REQUIRE ppp
>
> State-Changed-From-To: open->closed
> State-Changed-By: remko
> State-Changed-When: Fri Oct 10 19:35:37 UTC 2008
> State-Changed-Why: 
> This had been discussed before and will not be incorporated. You can do
> that manually if needed and you can use cloned_interfaces to setup tun0
> in advance. Reason for this being loaded as soon as possible, is that
> the network stack is protected, if you do it differently there is a
> window of opportunity to break in. So you can do that locally if needed,
> but it will not get incorporated into the tree. This is a summary of
> what had been discussed before. Thanks for taking the time to submit
> this and for using FreeBSD!
>   

For pf another solution is to use '(tun0)' instead of just the plain 
'tun0' when specifying the source or destination interface; that causes 
the parsing to be done at runtime and allows the ruleset to be loaded 
when tun0 doesn't have an IP address.

e.g use "pass out on tun0 proto tcp from (tun0) to any"

-- 
Bruce


More information about the freebsd-bugs mailing list