| BUGS: |
| ----- |
| * fix "to <ifname>" bug on FreeBSD 2.2.8 |
| fastroute works |
| |
| =============================================================================== |
| GENERAL: |
| -------- |
| |
| * use fr_tcpstate() with NAT code for increased NAT usage security or even |
| fr_checkstate() - suspect this is not possible. |
| |
| time permitting: |
| |
| * load balancing across interfaces |
| |
| * record buffering for TCP/UDP |
| |
| * modular application proxying |
| available |
| |
| * allow multiple ip addresses in a source route list for ipsend |
| |
| * complete Linux port to implement all the IP Filter features |
| return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-( |
| on hold until rewrite |
| |
| * add a flag to automate src spoofing |
| done |
| |
| * ipfsync() should change IP#'s in current mappings as well as what's |
| in rules. |
| done |
| |
| * document bimap |
| |
| * document NAT rule order processing |
| |
| * add more docs |
| in progress |
| |
| 3.4: |
| XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA |
| traffic priorization) should be *TOP* in the TO DO list. |
| |
| * irc proxy for dcc |
| * Bandwidth limiting!!! |
| * More examples |
| * More documentation |
| * And did I mention bandwidth limiting??? |
| * Load balancing features added to the NAT code, so that I can have |
| something coming in for 20.20.20.20:80 and it gets shuffled around between |
| internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever. |
| - done, stage 1 (round robin/split) |
| The one thing that Cisco's PIX has on IPF that I can see is that |
| rewrites the sequence numbers with semi-random ones. |
| |
| I would also love to see a more extensive NAT. It can choose to do |
| rdr and map based on saddr, daddr, sport and dport. (Does the kernel |
| module already have functionality for that and it just needs support in |
| the userland ipnat?) |
| |
| * intrusion detection |
| detection of port scans |
| detection of multiple connection attempts |
| |
| * support for multiple log files |
| i.e. all connections to ftp and telnet logged to |
| a seperate log file |
| |
| * multiple levels of log severity with E-mail notification |
| of intrusion alerts or other high priority errors |
| |
| * poison pill facility |
| after detection of a port scan, start sending back |
| large packets of garbage or other packets to |
| otherwise confuse the intruder (ping of death?) |
| |
| * I ran into your solaris streams stuff and noticed you are |
| playing with mblk's in an unsafe way. You seem to be modifying the |
| underlying datab without checking db_ref. If db_ref is greater than one, |
| you'll need to copy the mblk, |
| - fixed |
| |
| * fix up where manual pages go for Solaris2 |
| |
| |
| IPv6: |
| ----- |
| * NAT is yet not available, either as a null proxy or address translation |
| |
| BSD: |
| * "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is. |
| |
| Solaris: |
| * "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are. |
| |