xref: /netbsd-src/external/bsd/ipf/dist/todo (revision bc4097aacfdd9307c19b7947c13c6ad6982527a9) 
1BUGS:
2-----
3* fix "to <ifname>" bug on FreeBSD 2.2.8
4fastroute works
5
6===============================================================================
7GENERAL:
8--------
9
10* support redirection like "rdr tun0 0/32 port 80 ..."
11
12* use fr_tcpstate() with NAT code for increased NAT usage security or even
13  fr_checkstate() - suspect this is not possible.
14
15* add another alias for <thishost> for interfaces <thisif>? as well as
16  all IP#'s associated with the box <myaddrs>?
17
18time permitting:
19
20* load balancing across interfaces
21
22* record buffering for TCP/UDP
23
24* document bimap
25
26* document NAT rule order processing
27
28* add more docs
29in progress
30
313.4:
32XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
33traffic priorization) should be *TOP* in the TO DO list.
34
35* Bandwidth limiting!!!
36maybe for solaris, otherwise "ALTQ"
37* More examples
38* More documentation
39* Load balancing features added to the NAT code, so that I can have
40something coming in for 20.20.20.20:80 and it gets shuffled around between
41internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
42- done, stage 1 (round robin/split)
43The one thing that Cisco's PIX has on IPF that I can see is that
44rewrites the sequence numbers with semi-random ones.
45- done
46
47I would also love to see a more extensive NAT.  It can choose to do
48rdr and map based on saddr, daddr, sport and dport.  (Does the kernel
49module already have functionality for that and it just needs support in
50the userland ipnat?)
51-done
52
53        * intrusion detection
54                detection of port scans
55                detection of multiple connection attempts
56
57        * support for multiple log files
58                i.e. all connections to ftp and telnet logged to
59                        a seperate log file
60
61        * multiple levels of log severity with E-mail notification
62                of intrusion alerts or other high priority errors
63
64        * poison pill facility
65                after detection of a port scan, start sending back
66                large packets of garbage or other packets to
67                otherwise confuse the intruder (ping of death?)
68
69IPv6:
70-----
71* NAT is yet not available, either as a null proxy or address translation
72
73BSD:
74* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
75
76Solaris:
77* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
78
79Tru64:
80------
81* IPv6 checksum calculation for RST's and ICMP packets is not done (there
82  are routines in the Tru64 kernel to do this but what is the interface?)
83
84does bimap allow equal sized subnets?
85
86make return-icmp 'intelligent' if no type is given about what type to use?
87
88reply-to - enforce packets to pass through interfaces in particular
89combinations - opposite to "to", set reverse path interface
90
91