On Mon, Mar 17, 2008 at 6:12 PM, Johannes Ballé <[EMAIL PROTECTED]> wrote:
> Hello, > > I just hacked the patches/Makefile for vpnc to support vpnc 0.5.1. This > release is far more usable than 0.4.0, because it fixes one annoying > keep-alive problem and many other bugs. > > (see > http://www.unix-ag.uni-kl.de/~massar/vpnc/<http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/>for > a list) > > So here's the patch against SVN r10611. > > Additionally, I would like to suggest to remove the > start_vpn_nat/stop_vpn_nat > functions in the vpnc-script (I kept them for now). Currently, they are > hard-coded to allow any packets to be forwarded between the VPN and any > other > network (also the WAN...) please sign off your patch https://dev.openwrt.org/wiki/SubmittingPatches Thanks Travis > > > In the setup I'm using (at least) this default is insecure. I'm using a > VPN > tunnel to establish a connection to the Internet and using the router to > share this connection locally. So, I have to comment out these lines > in /etc/vpnc/vpnc-script, which is not very user-friendly. IMHO, it would > be > better if the scripts were non-permissive by default (because the fact > that > you're using a VPN usually indicates that there are some security aspects > involved). > > In most situations, I would think that a static firewall setup > in /etc/firewall.user suffices. In my situation, it does. In cases where a > dynamic firewall setup is needed, the user would probably adjust > vpnc-script > manually, anyway. So, as far as I can see, there's no point in having a > wide-open firewall hard-coded into the script. > > Best regards, > > Johannes > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > http://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel > >
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org http://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
