[ previous ] [ next ] [ threads ]
 
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  Kris Maglione <bsdaemon at comcast dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] OpenVPN, switching to m0n0
 Date:  Mon, 19 Sep 2005 10:42:34 +0200 
Hi Kris!

Am Sonntag, den 18.09.2005, 16:43 -0400 schrieb Kris Maglione:
> That's really a good question... I would have no use for it, but I 
> suppose it's reasonable for someone to want to route NetBIOS/BEUI or 
> IPX, although I can't imagine how well that would fare.
I see. Routing not routable protocols ;-)

> Perhaps there should be hidden *_adv.php for experts, 
> rather than forcing them to edit the config file and reboot the 
> firewall... and perhaps if they use it, they should be precluded from 
> editing a given connection the normal way. That way, they can choose 
> what system does what, and know that they're taking a risk of breaking 
> something if they're not carefull. It would have one of those red 'This 
> page is not supported...' pages.
Do you know the Cisco PIX VPN wizard. It does - not exactly, but almost
- this. Asking the user some questions and builds a reasonable IPSEC
configuration. Afterwards you're able to edit this ruleset by hand, if
you want.
> 
> Another note: if OpenVPN depends on the DHCP server or something else, 
> that configuration should be tied to OpenVPN, so when one thing changes, 
> so does the other... This goes back to my prior complaint about NAT 
> rules not being tied to their firewall rules. If you kill a VPN server, 
> it's DHCP and bridging rules should die also, etc.
I've looked over it the last few days and recognized that this is very
problematic to implement. I thought of a field <inuse/> that can be
checked if someone wants to delete an interface. Next step would be to
have an algorithm that deletes all corresponding rulesets automatically.
But constructing such a dependency tree is a lot of work and could lead
us to a real patchwork. I believe it is one thing to consider for
1.3beta, if and then we decide to go for a cleaner design.

BR,
  PIT


---------------------------------------------------------------------------
 copyleft(c) by |           I did this 'cause Linux gives me a woody. It
 Peter Allgeyer |   _-_     doesn't generate revenue. (Dave '-ddt->`
                | 0(o_o)0   Taylor, announcing DOOM for Linux)
---------------oOO--(_)--OOo-----------------------------------------------