A way to load PF rules at startup using OpenVPN

[krad]

cloned_interfaces should take care of that, as i have tun0 referenced in my
pf.conf and it works fine. Check its defined correctly with:

# sysrc cloned_interfaces
cloned_interfaces: gif0 tun0 bridge0



another way of doing it would be to comment out the last line in your
pf.conf and add an anchor at the end

eg
anchor "vpn/*"


then do something like

echo "pass in quick on vtnet0 proto { tcp udp } from tun0 to vtnet0 port
8123" | pfctl -a vpn -f -

after openvpn has started up.

The problem you have is someone stops openvpn from running at startup
suddenly you have no firewall. Its also starting up much later than it
should so you are exposing yourself for a small window of time.


On 20 January 2015 at 13:39, Panagiotis Atmatzidis <atma at convalesco.org>
wrote:

> Hello,
>
> > On 20 Jan 2015, at 15:06, Maciej Suszko <maciej at suszko.eu> wrote:
> >
> > On Tue, 20 Jan 2015 14:18:28 +0200
> > Panagiotis Atmatzidis <atma at convalesco.org> wrote:
> >
> > […]
> >
> > Post your pf.conf, pfctl -nvf /etc/pf.conf with tun0 present and
> > absent, look at dmesg -a, messages etc.
>
> Using ‘pfctl -nvf /etc/pf.conf’ without tun0 comes up with the following
> error:
>
> No IP address found for tun0
> /etc/pf.conf:86: could not parse host specification
>
> Line is 86 is:
> https://gist.github.com/atmosx/2dcff31a0d8868d4b1c7#file-pf-conf-L83 <
> https://gist.github.com/atmosx/2dcff31a0d8868d4b1c7#file-pf-conf-L86>
>
> But how do I bypass this using pf.conf alone? The .conf needs to become
> ‘dynamic’ somehow.
>
> >
> > Just my 2 cents...
> > --
> > regards, Maciej Suszko.
>
>
>
> Panagiotis (atmosx) Atmatzidis
>
> email:  atma at convalesco.org
> URL:    http://www.convalesco.org
> GnuPG ID: 0x1A7BFEC5
> gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5
>
> "As you set out for Ithaca, hope the voyage is a long one, full of
> adventure, full of discovery [...]" - C. P. Cavafy
>
>
>
>
>