[EMAIL PROTECTED] wrote:
Does this point to a problem with "set skip on { lo, tun0 }"? I
will try your suggestion to see if it works (pass quick on { tun0
tun1 }), but I dislike using "quick" in my rules.
I added "up" to my /etc/hostname.tun0 to see if that worked based
on one of the suggestions but the startup problem still exist? I
have since removed "up" since in the past I have never needed to
use it and I read somewhere that "touch /etc/hostname.tun0" was all
that I needed.
Your experience matches mine. Having "up" in /etc/hostname.tun0 wasn't
enough, openvpn traffic was still blocked on the tun interface. Using
the "pass quick on tun0" rule somewhere at the top of your rules should
work for you, let me know if not.
For completeness, here's my pf.conf as well so you can compare. ..
ext_if="fxp2"
int_if="fxp1"
wifi_if="fxp0"
voip="192.168.10.2"
high_pri_tcp="22, 6667"
med_pri_tcp="21, 25, 80, 110, 443, 995, 1723"
high_pri_udp="53"
med_pri_udp="123"
table <scanners> persist
set skip on lo
set loginterface $ext_if
set ruleset-optimization basic
set block-policy return
scrub in
altq on $ext_if cbq bandwidth 495Kb queue { q_low, q_med, q_high, q_max }
queue q_low bandwidth 63% priority 0 cbq(default)
queue q_med bandwidth 15% priority 2 cbq(borrow)
queue q_high bandwidth 15% priority 4 cbq(borrow)
queue q_max bandwidth 7% priority 6 cbq(borrow)
nat-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if $wifi_if }
block drop quick from <scanners>
block in log
pass out
pass quick on { tun0 tun1 }
pass quick on $int_if from $voip to any no state tag PHONE
pass quick on $int_if inet proto udp from any port 27960 no state tag Q3
pass quick on $int_if no state
pass in quick on $wifi_if inet proto tcp to ($wifi_if) port ssh
pass in quick on $wifi_if inet proto udp from any port bootpc to any
port bootps
pass in quick on $wifi_if inet proto udp to ($wifi_if) port 1194
pass in quick on $wifi_if inet proto icmp to ($wifi_if)
## only used when an open AP needed, e.g. guests over
##pass in quick on $wifi_if
block in on $wifi_if
block in quick on $ext_if inet6 all
pass in on $ext_if inet proto icmp
pass in on $ext_if inet proto tcp to ($ext_if) port ssh flags S/SA \
keep state (source-track rule, max-src-conn-rate 5/60, overload \
<scanners> flush global) queue q_high
pass out on $ext_if inet to any queue (q_low,q_med)
pass out quick on $ext_if inet to any tagged PHONE queue q_max
pass out quick on $ext_if inet to any tagged Q3 queue q_high
pass out quick on $ext_if inet proto tcp to any port { $high_pri_tcp }
queue q_high
pass out quick on $ext_if inet proto tcp to any port { $med_pri_tcp }
queue (q_med,q_high)
pass out quick on $ext_if inet proto udp to any port { $high_pri_udp }
queue q_high
pass out quick on $ext_if inet proto udp to any port { $med_pri_udp }
queue q_med
pass out quick on $ext_if inet proto icmp queue q_high
HTH,
Mark
