[ previous ] [ next ] [ threads ]
 
 From:  "Chad R. Larson" <clarson at eldocomp dot com>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  M0N0Wall firewall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC tunnel with several SAs
 Date:  Tue, 20 Jan 2004 16:35:37 -0700
At 10:51 AM 1/20/2004, Manuel Kasper wrote:
>OK, I had a look at the documentation, and it seems to be OK to use 
>"unique" instead of "require" here, so it will be changed in the next release.

As long as you're compiling the todo list for the next release, might you 
consider adding support for the "bimap" command for address blocks?

We have many customers who connect to us via private lines and/or VPN 
tunnels.  Due to what I consider a bad policy (give the customer what he 
wants :-]) we've got RFC1918 addresses running around on our network from 
the customer.  Inevitably, we get conflicts.  Customer A is using 
192.168.100.0/24 on his network, and new customer B is using the same 
addresses.  We want to be able to map 192.168.100.0/24 -> 192.168.101.0/24 
(or something like that).

We used to have a hack to the PHP so that it would check for the existence 
of a "nat.conf" file in the same directory as the "config.xml" file, and if 
it did, source it.  Then we could put any extra commands we needed on the 
floppy and have our changes survive a reboot.

This was at the bottom of the "/etc/inc/filter.inc" file.

if (file_exists("{$g['conf_path']}/nat.cnf")) {
         mwexec("/sbin/ipnat -f {$g['conf_path']}/nat.conf");
     }

Since pb25, we've dropped our hack and instead have this in the system 
portion of "config.xml":
<shellcmd>echo 'bimap fxp0 192.168.100.0/24 -> 192.168.101.0/24' | 
/sbin/ipnat -f -</shellcmd>

BTW, you =are= planning to put in GUI support for the "shellcmd" tag, 
aren't you?


          -crl
--
Chad R. Larson (CRL22)    chad at eldocomp dot com
   Eldorado Computing, Inc.   602-604-3100
      5353 North 16th Street, Suite 400
        Phoenix, Arizona   85016-3228

-- CONFIDENTIALITY NOTICE --

This message is intended for the sole use of the individual and entity to whom it is addressed, and
may contain information that is privileged, confidential and exempt from disclosure under applicable
law. If you are not the intended addressee, nor authorized to receive for the intended addressee,
you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or
any information contained in the message. If you have received this message in error, please
immediately advise the sender by reply email, and delete the message. Thank you.