Wow those are some very powerful opinions that you have and are touting as fact.
Regardless, I was not asking about the relative stability of the current branch, or advise on coding rules. I simply have a firewall that I have a default deny, and I write rules for what I want to allow. I have a couple of on again off again PPP over SSH tunnels (that I will get rid of, *that* seems like a dirty solution to me) that I am sure are going to give me grief.
I also use mpd to allow a couple of pptp connections, and packets coming from ng0-4 were failing (because there was no rule allowing them).
I added a rule to allow traffic coming from ng0-4, and would like to do something similar for the tun devices. Of course, there are other ways to accomplish this, I was just wondering if I could get the interfaces created before the firewall started up somehow. I did try to add a number to the tun device in the kernel config file, but it didn't like it (as I had suspected). Its just that adding a rule based on the tun devices is fairly clean, and easy to understand by someone going through the rules ..
PF is brand new to FBSD and I have not played with it yet. But it can't be that different. First of all, you only create filter rules for the interface connected to the public internet. Rules on other internal interfaces is an invalid-configuration of the firewall. There are no error messages to tell you this. For the max in protection, you must code stateful rules, IE: the bi-directional package exchange flow is monitored during the complete session conversation. I do not know if PF has that ability, like ipfilter does. Should default to deny all in or out packets that are not allowed by an stateful session conversation start rule. As far as devices not being used, the firewall does not care. All it cares about is that the device is defined in the kernel. New in 5.x the /dev entry gets automatically created on first time use and is there from that point on.
FYI, 5.2.1 is an version of FBSD just for developers who can debug kernel code. 5.2.1 is very dirty and crashes all the time under moderate to heavy loads. The official FBSD handbook says use it as your own risk. You should not be using this for an mission critical environment. The 4.9 stable release is the version you should be using, anything else is an big gamble.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tim Pushor Sent: Sunday, March 07, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: tun devices and firewall
I am building a new firewall based on 5.2.1-RELEASE. I am using the openbsd port of PF, but I think that my question is fairly generic.
I have remote systems that sort of vpn through this one using ppp-over-ssh. This uses tun devices. In the past, when I had configured X number of devices in the kernel, those interfaces were always present in the system, and think I could firewall based on them.
Now in FreeBSD 5, the interfaces (or entries in /dev) don't exist until they are actually used (I think, I am having some trouble getting ppp working, but I think I have another problem).
I had to add rules to enable traffic over the ngx devices as well for some other things I'm running, and I assume I'll have to do the same for the tun devices. Does anyone have any advice as to what I can do? pf doesn't know about the tun devices at boot time, so I can't use them in the ruleset.
(PS Please CC: me as I am not subscribed to the list - Thanks) _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"