Wow those are some very powerful opinions that you have and are touting as fact.

Regardless, I was not asking about the relative stability of the current branch, or advise on coding rules. I simply have a firewall that I have a default deny, and I write rules for what I want to allow. I have a couple of on again off again PPP over SSH tunnels (that I will get rid of, *that* seems like a dirty solution to me) that I am sure are going to give me grief.

I also use mpd to allow a couple of pptp connections, and packets coming from ng0-4 were failing (because there was no rule allowing them).

I added a rule to allow traffic coming from ng0-4, and would like to do something similar for the tun devices. Of course, there are other ways to accomplish this, I was just wondering if I could get the interfaces created before the firewall started up somehow. I did try to add a number to the tun device in the kernel config file, but it didn't like it (as I had suspected). Its just that adding a rule based on the tun devices is fairly clean, and easy to understand by someone going through the rules ..


JJB wrote:

PF is brand new to FBSD and I have not played with it yet. But it
can't be that different.  First of all, you only create filter rules
for the interface connected to the public internet. Rules on other
internal interfaces is an invalid-configuration of the firewall.
There are no error messages to tell you this. For the max in
protection, you must code stateful rules, IE: the bi-directional
package exchange flow is monitored during the complete session
conversation. I do not know if PF has that ability, like ipfilter
does.  Should default to deny all in or out packets  that are not
allowed by an stateful session conversation start rule. As far as
devices not being used, the  firewall does not care. All it cares
about is that the device is defined in the kernel. New in 5.x the
/dev entry gets automatically created on first time use and is there
from that point on.

FYI, 5.2.1 is an version of FBSD just for developers who can debug
kernel code. 5.2.1 is very dirty and crashes all the time under
moderate to heavy loads. The official FBSD handbook says use it as
your own risk. You should not be using this for an mission critical
environment. The 4.9 stable release is the version you should be
using, anything else is an big gamble.

-----Original Message-----
[mailto:[EMAIL PROTECTED] Behalf Of Tim Pushor
Sent: Sunday, March 07, 2004 1:09 AM
Subject: tun devices and firewall

Hi all,

I am building a new firewall based on 5.2.1-RELEASE. I am using the
openbsd port of PF, but I think that my question is fairly generic.

I have remote systems that sort of vpn through this one using
ppp-over-ssh. This uses tun devices. In the past, when I had
X number of devices in the kernel, those interfaces were always
in the system, and think I could firewall based on them.

Now in FreeBSD 5, the interfaces (or entries in /dev) don't exist
they are actually used (I think, I am having some trouble getting
working, but I think I have another problem).

I had to add rules to enable traffic over the ngx devices as well
some other things I'm running, and I assume I'll have to do the same
the tun devices. Does anyone have any advice as to what I can do? pf
doesn't know about the tun devices at boot time, so I can't use them
the ruleset.


(PS Please CC: me as I am not subscribed to the list - Thanks)
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to