> [1] Am I correct that _updown script is *modified* by somebody leaf/lrp > to accommodate ipchains, as opposed to the default ipfwadm? > > Perhaps, that script should include some brief attribution of this > non-standard modification? Is there some reason to modify this, as > opposed to using a custom script and [left|right]updown=, as recommended > by FreeS/WAN?
_updown was modified by me (package/distribution maintainer) so it would work as-is in the existing distribution, which seems like the "expected" behavior. The FreeS/WAN advice still applies: if you're going to change _updown (as a user), you should probably re-name it. Changes to various IPSec scripts are noted on the IPSec package page of my website. > [2] Am I correct that there is *no* need to set DCD network.conf > settings: > > EXTERN_PORTS= > EXTERN_PROTO[0..9]= > > since _updown does this by itself? You can add these manually, or let _updown do it for you...you have to decide which is better in your environment. NOTE: If you let _updown create the firewall rules, your VPN links will all go down if you ever manually re-load the firewall rules (ie: net ipfilter reload). > [3] The only change required to network.conf is this? > > EXTERN_UDP_PORTS="network/mask_500" Yes, if you're using [left|right]firewall=yes Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user