A way to load PF rules at startup using OpenVPN [SOLVED]

Tue Jan 20 13:54:06 UTC 2015

> On 20 Jan 2015, at 15:06, Maciej Suszko <maciej at suszko.eu> wrote:
> 
> On Tue, 20 Jan 2015 14:18:28 +0200
> Panagiotis Atmatzidis <atma at convalesco.org> wrote:
> 
> [...]
> 
>> I resolved the issue by creating a devd conf file:
>> 
>> $ cat /etc/devd/tun.conf
>> # Run PF when tun0 is up
>> notify 0 {
>> 	match "system"		"IFNET";
>> 	match "subsystem"	"tun0";
>> 	match "type"		"LINK_UP";
>> 	action "/etc/rc.d/pf start";
>> };
>> 
>> This file makes sure ‘pf’ is executed right after ‘tun0’ interface is UP, which happens at boot anyway since openvpn is started by ‘rc.conf’. You need have ‘pf’ enabled in ‘rc.conf’ of course.
>> 
>> It works fine now on every reboot :-)
> 
> It just looks like solution taken directly from Linux world... If we
> don't know why it's not working, let's put rc script somewhere -
> problem solved!
> 
> In my opinion, properly created pf.conf have nothing to do with openvpn
> - neither running nor stopped.
> 
> Post your pf.conf, pfctl -nvf /etc/pf.conf with tun0 present and
> absent, look at dmesg -a, messages etc.
> 
> Just my 2 cents...
> --
> regards, Maciej Suszko.

Actually never-mind, that rule created the problem and it’s not needed at all. VPN users have access to all ports, so I’m all set now.

Thanks Maciej and Krad :-)

Panagiotis (atmosx) Atmatzidis

email:	atma at convalesco.org
URL:	http://www.convalesco.org
GnuPG ID: 0x1A7BFEC5
gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5

"As you set out for Ithaca, hope the voyage is a long one, full of adventure, full of discovery [...]" - C. P. Cavafy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150120/a34228ed/attachment.sig>