Update. With help from the mailing list, both of my problems have
been solved. The first problem was the same as the original
poster. To reiterate, the problems were:
1. On startup, pf would not allow any packets through on tun0.
Thus openvpn would not work. The temporary fix was to ssh in and
run "pfctl -f /etc/pf.conf
2. After running "pfctl -f /etc/pf.conf", openvpn would only work
if "pass in on $int_if from 10.8.0.0/24 to any" was in the pf.conf
file.
The solution was twofold. First, remove the two lines from my
pf.conf file (listed at the bottom):
set skip on { lo, tun0 }
pass in on $int_if from 10.8.0.0/24
The second part of the solution was to add after "block in":
pass quick on { lo, tun0 }
This fixed both problems. I hope this works for the original
poster as well. I guess "set skip" doesn't work for tun0.
On Fri, 20 Jul 2007 09:12:20 -0700 [EMAIL PROTECTED] wrote:
>Here are my pf rules:
>
>ext_if="fxp0"
>int_if="ath0"
>
>set skip on { lo, tun0 }
>set block-policy return
>
>scrub in
>
>nat-anchor "ftp-proxy/*"
>rdr-anchor "ftp-proxy/*"
>nat on $ext_if from !($ext_if) -> ($ext_if:0)
>rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>
>anchor "ftp-proxy/*"
>block in
>
>antispoof quick for { lo, $int_if, tun0 }
>
>pass in on $int_if proto tcp from 10.1.1.2 to 10.1.1.1 port ssh
>pass in proto icmp
>pass in on $int_if from 10.8.0.0/24 to any
>pass in on $int_if proto udp from 10.1.1.2 to 10.1.1.1 port 1194
>pass out
