Source routing howto

Thu Mar 10 05:37:56 UTC 2016

On Wed, 9 Mar 2016 14:40:16 +0100, elof2 at sentor.se wrote:
 > On Wed, 9 Mar 2016, Jan Bramkamp wrote:
[..]
 > > I would avoid policies based on IP addresses and prefer to define policies
 > > based on (pseudo-) interfaces e.g. route (and nat?) traffic from vlan123
 > > through the VPN tunnel.
 > 
 > The only two things I have to play with here is:
 > * ip range 10.10.10.x
 > or
 > * tun0
 > 
 > Using 'tun0' might not be possible if it has to exist when ipfw/pf load at
 > boot, 'cause tun0 is not created until the openvpn service has started.

I can't speak to pf, but ipfw doesn't require an interface to preexist.  
I use mpd which creates interface ng0, well after firewall rules have 
been loaded.  In antiquity I used ppp; I can't recall whether the same 
applied to tun0 similarly, and don't use vpns at all, but:

root at x200:~ # kldload ipfw && ipfw add 65000 allow ip from any to any
65000 allow ip from any to any
root at x200:~ # ipfw add 20000 count ip from any to any via nonexisting
20000 count ip from any to any via nonexisting
root at x200:~ # ipfw -t show
20000  0    0                         count ip from any to any via nonexisting
65000 71 6588 Thu Mar 10 16:20:02 2016 allow ip from any to any
65535  0    0                         deny ip from any to any

cheers, Ian