Johannes Ballé wrote: > Hello, > > I just hacked the patches/Makefile for vpnc to support vpnc 0.5.1. This > release is far more usable than 0.4.0, because it fixes one annoying > keep-alive problem and many other bugs. > > (see http://www.unix-ag.uni-kl.de/~massar/vpnc/ for a list) > > So here's the patch against SVN r10611. > > Additionally, I would like to suggest to remove the > start_vpn_nat/stop_vpn_nat > functions in the vpnc-script (I kept them for now). Currently, they are > hard-coded to allow any packets to be forwarded between the VPN and any other > network (also the WAN...) > > In the setup I'm using (at least) this default is insecure. I'm using a VPN > tunnel to establish a connection to the Internet and using the router to > share this connection locally. So, I have to comment out these lines > in /etc/vpnc/vpnc-script, which is not very user-friendly. IMHO, it would be > better if the scripts were non-permissive by default (because the fact that > you're using a VPN usually indicates that there are some security aspects > involved). > > In most situations, I would think that a static firewall setup > in /etc/firewall.user suffices. In my situation, it does. In cases where a > dynamic firewall setup is needed, the user would probably adjust vpnc-script > manually, anyway. So, as far as I can see, there's no point in having a > wide-open firewall hard-coded into the script. > > Best regards, > > Johannes > > > ------------------------------------------------------------------------ > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > http://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Also your patch appears to be mangled (spaces instead of tabs) Thanks Travis _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org http://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
