Hi, On Thu, Aug 27, 2015 at 09:18:12AM +1200, Jason Haar wrote: > On 26/08/15 20:35, Arne Schwabe wrote: > > Okay yes. Active FTP is broken by our simple nat implementation. But I > > think FTP, let alone active FTP is dead. I am not sure if we should > > support this in our simple NAT implementation. > I agree. Surely this would be the beginning of a complete beat-up?
I *could* argue that someone has been asking for a new DHCP option
recently... :-)
I have not looked at the code yet to see how large or invasive it is,
but as it obviously has a fairly reasonable use case ("support old
equipment behind state-of-the-art VPN tunnels"), I can see why the
feature make some sort of sense.
OTOH I would do it differently altogether - put an OpenWRT box into
the network in question, OpenVPN on top of it, and use Linux iptables
NAT to do the actualy natting back and forth and whatever is needed,
as it will always be more powerful than what we can build into OpenVPN
(and I'd totally not run important service stuff on windows).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgp9ETgykIgIW.pgp
Description: PGP signature
