diff options
Diffstat (limited to 'todo')
-rw-r--r-- | todo | 98 |
1 files changed, 98 insertions, 0 deletions
@@ -0,0 +1,98 @@ +BUGS: +----- +* fix "to <ifname>" bug on FreeBSD 2.2.8 +fastroute works + +=============================================================================== +GENERAL: +-------- + +* support redirection like "rdr tun0 0/32 port 80 ..." + +* use fr_tcpstate() with NAT code for increased NAT usage security or even + fr_checkstate() - suspect this is not possible. + +* add another alias for <thishost> for interfaces <thisif>? as well as + all IP#'s associated with the box <myaddrs>? + +time permitting: + +* load balancing across interfaces + +* record buffering for TCP/UDP + +* modular application proxying +-done + +* allow multiple ip addresses in a source route list for ipsend + +* port IP Filter to Linux +Not in this century. + +* document bimap + +* document NAT rule order processing + +* add more docs +in progress + +3.4: +XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA +traffic priorization) should be *TOP* in the TO DO list. + +* Bandwidth limiting!!! +maybe for solaris, otherwise "ALTQ" +* More examples +* More documentation +* Load balancing features added to the NAT code, so that I can have +something coming in for 20.20.20.20:80 and it gets shuffled around between +internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever. +- done, stage 1 (round robin/split) +The one thing that Cisco's PIX has on IPF that I can see is that +rewrites the sequence numbers with semi-random ones. +- done + +I would also love to see a more extensive NAT. It can choose to do +rdr and map based on saddr, daddr, sport and dport. (Does the kernel +module already have functionality for that and it just needs support in +the userland ipnat?) +-sort of done + + * intrusion detection + detection of port scans + detection of multiple connection attempts + + * support for multiple log files + i.e. all connections to ftp and telnet logged to + a seperate log file + + * multiple levels of log severity with E-mail notification + of intrusion alerts or other high priority errors + + * poison pill facility + after detection of a port scan, start sending back + large packets of garbage or other packets to + otherwise confuse the intruder (ping of death?) + +IPv6: +----- +* NAT is yet not available, either as a null proxy or address translation + +BSD: +* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is. + +Solaris: +* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are. + +Tru64: +------ +* IPv6 checksum calculation for RST's and ICMP packets is not done (there + are routines in the Tru64 kernel to do this but what is the interface?) + +does bimap allow equal sized subnets? + +make return-icmp 'intelligent' if no type is given about what type to use? + +reply-to - enforce packets to pass through interfaces in particular +combinations - opposite to "to", set reverse path interface + |