Hello,
I'm perhaps wrong but i think the interface must exists before loading
any rules which use it.
Best regards,
Jean-philippe.
On Thu, 19 Jul 2007 10:47:31 +0300
Tomas <[EMAIL PROTECTED]> wrote:
> Hi list,
>
> I'm having weird problem with my openvpn install and pf.
> I start vpn and connect to it from client computers with no problems,
> but I can't access any computers on internal lan. Then I issue pfctl
> -f /etc/pf.conf and everything starts to work. So my rc.local script
> is: <--->
> if [ X"${openvpn}" == X"YES" -a -x /usr/local/sbin/openvpn ];
> then echo -n ' openvpn';
> /usr/local/sbin/openvpn --cd /etc/openvpn --config server.conf
> sleep 10
> /sbin/pfctl -f /etc/pf.conf
> fi
> <--->
> And everything works fine. But why do I need to reload my pf?
> My server.conf is:
> <--->
> daemon openvpn
> local xxx.xxx.xxx.xxx
> port 1194
> proto udp
> dev tun0
> tun-mtu 1500
> mssfix
> keepalive 10 120
> ca ca.crt
> cert server.crt
> key server.key
> dh dh1024.pem
> tls-auth ta.key 0
> cipher AES-256-CBC
> server 192.168.5.0 255.255.255.0
> push "route 192.168.0.0 255.255.255.0"
> route 192.168.6.0 255.255.255.0
> chroot /etc/openvpn
> status /var/log/openvpn-status.log
> log /var/log/openvpn-log.log
> writepid /var/run/openvpn.pid
> ifconfig-pool-persist ipp.txt
> replay-persist replay.txt
> client-config-dir ccd
> max-clients 5
> user nobody
> group nobody
> persist-key
> persist-tun
> comp-lzo
> verb 3
> mute 10
> <--->
> My hostname.tun0 is:
> <--->
> up
> <--->
> My pf.conf is:
> <--->
> ext_if="vr0"
> int_if="vr1"
> admins1="xxx.xxx.xxx.xxx"
> admins2="xxx.xxx.xxx.xxx"
> organization_net="192.168.0.0/24"
> ovpn_net="192.168.6/24"
> ovpn="1194"
> table <admins> { $admins1, $admins2 } const persist
> table <rfc1918> { 10/8, 172.16/12, 192.168/16 } const persist
> table <bad_hosts> persist
> set block-policy drop
> set optimization normal
> set ruleset-optimization basic
> set state-policy if-bound
> set loginterface $ext_if
> set skip on { lo0, $int_if, tun0 }
> scrub on $ext_if no-df fragment reassemble random-id
> nat-anchor "ftp-proxy/*"
> nat on $ext_if from $organization_net to any -> ($ext_if:0)
> rdr pass on $int_if inet proto tcp to port ftp -> 127.0.0.1 port 8021
> rdr-anchor "ftp-proxy/*"
> block log all
> block in log quick on $ext_if from any to 255.255.255.255
> antispoof log quick for { lo0, $ext_if, $int_if }
> anchor "ftp-proxy/*"
> pass log on $ext_if inet proto icmp icmp-type unreach code needfrag
> pass in log quick on $ext_if inet proto icmp from <admins> to
> ($ext_if) icmp-type echoreq modulate state label "icmp for admins"
> pass in log quick on $ext_if inet proto tcp from <admins> to
> ($ext_if) port ssh modulate state label "ssh for admins"
> pass out on $ext_if inet proto { tcp, udp, icmp } from ($ext_if) to
> any modulate state
> pass in log on $ext_if inet proto udp from any to ($ext_if) port
> $ovpn modulate state (max-src-conn-rate 30/10, overload <bad_hosts>
> flush global) <--->
> I'm using OpenBSD 4.1 and OpenVPN openvpn-2.0.6p0.
>
>
>
>
>
>
> !DSPAM:1,469f22cc303651336712104!
