I have a small FreeBSD router and firewall and am moving from IPFW to PF. The main strategy is as follows: block all traffic, except from the NAT'ed network, and the host itself. In IPFW I used the following rule to allow traffic from the host to the rest of the world:
In PF I use the following rule to allow traffic from the host to the rest of the world:
This seems to work fine... except when the rules are loaded during a boot of my device:
Line 29 contains the table specification. It seems that either tun0 or tun1 does not yet exist at the time PF is loaded, and PF balks and refused to load the rules. (tun0 is created by Aiccu, tun1 is created by OpenVPN.)
If you have advice how to work around this, I sure appreciate that!
Code:
ipfw -q allow ip from me to any keep-stateIn PF I use the following rule to allow traffic from the host to the rest of the world:
Code:
wan_if = "em1"
dmz_if = "em2"
lan_if = "em3"
six_if = "tun0"
vpn_if = "tun1"
table <selfnetwork> { $wan_if, $dmz_if, $lan_if, $six_if, $vpn_if }
pass from <selfnetwork> to any keep stateThis seems to work fine... except when the rules are loaded during a boot of my device:
Code:
Enabling pf
no IP address found for tun0
/etc/pf.conf:29: could not parse host specification
pfctl: Syntax error in config file: pf rules not loadedLine 29 contains the table specification. It seems that either tun0 or tun1 does not yet exist at the time PF is loaded, and PF balks and refused to load the rules. (tun0 is created by Aiccu, tun1 is created by OpenVPN.)
If you have advice how to work around this, I sure appreciate that!