1*bc4097aaSchristosBUGS: 2*bc4097aaSchristos----- 3*bc4097aaSchristos* fix "to <ifname>" bug on FreeBSD 2.2.8 4*bc4097aaSchristosfastroute works 5*bc4097aaSchristos 6*bc4097aaSchristos=============================================================================== 7*bc4097aaSchristosGENERAL: 8*bc4097aaSchristos-------- 9*bc4097aaSchristos 10*bc4097aaSchristos* support redirection like "rdr tun0 0/32 port 80 ..." 11*bc4097aaSchristos 12*bc4097aaSchristos* use fr_tcpstate() with NAT code for increased NAT usage security or even 13*bc4097aaSchristos fr_checkstate() - suspect this is not possible. 14*bc4097aaSchristos 15*bc4097aaSchristos* add another alias for <thishost> for interfaces <thisif>? as well as 16*bc4097aaSchristos all IP#'s associated with the box <myaddrs>? 17*bc4097aaSchristos 18*bc4097aaSchristostime permitting: 19*bc4097aaSchristos 20*bc4097aaSchristos* load balancing across interfaces 21*bc4097aaSchristos 22*bc4097aaSchristos* record buffering for TCP/UDP 23*bc4097aaSchristos 24*bc4097aaSchristos* document bimap 25*bc4097aaSchristos 26*bc4097aaSchristos* document NAT rule order processing 27*bc4097aaSchristos 28*bc4097aaSchristos* add more docs 29*bc4097aaSchristosin progress 30*bc4097aaSchristos 31*bc4097aaSchristos3.4: 32*bc4097aaSchristosXDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA 33*bc4097aaSchristostraffic priorization) should be *TOP* in the TO DO list. 34*bc4097aaSchristos 35*bc4097aaSchristos* Bandwidth limiting!!! 36*bc4097aaSchristosmaybe for solaris, otherwise "ALTQ" 37*bc4097aaSchristos* More examples 38*bc4097aaSchristos* More documentation 39*bc4097aaSchristos* Load balancing features added to the NAT code, so that I can have 40*bc4097aaSchristossomething coming in for 20.20.20.20:80 and it gets shuffled around between 41*bc4097aaSchristosinternal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever. 42*bc4097aaSchristos- done, stage 1 (round robin/split) 43*bc4097aaSchristosThe one thing that Cisco's PIX has on IPF that I can see is that 44*bc4097aaSchristosrewrites the sequence numbers with semi-random ones. 45*bc4097aaSchristos- done 46*bc4097aaSchristos 47*bc4097aaSchristosI would also love to see a more extensive NAT. It can choose to do 48*bc4097aaSchristosrdr and map based on saddr, daddr, sport and dport. (Does the kernel 49*bc4097aaSchristosmodule already have functionality for that and it just needs support in 50*bc4097aaSchristosthe userland ipnat?) 51*bc4097aaSchristos-done 52*bc4097aaSchristos 53*bc4097aaSchristos * intrusion detection 54*bc4097aaSchristos detection of port scans 55*bc4097aaSchristos detection of multiple connection attempts 56*bc4097aaSchristos 57*bc4097aaSchristos * support for multiple log files 58*bc4097aaSchristos i.e. all connections to ftp and telnet logged to 59*bc4097aaSchristos a seperate log file 60*bc4097aaSchristos 61*bc4097aaSchristos * multiple levels of log severity with E-mail notification 62*bc4097aaSchristos of intrusion alerts or other high priority errors 63*bc4097aaSchristos 64*bc4097aaSchristos * poison pill facility 65*bc4097aaSchristos after detection of a port scan, start sending back 66*bc4097aaSchristos large packets of garbage or other packets to 67*bc4097aaSchristos otherwise confuse the intruder (ping of death?) 68*bc4097aaSchristos 69*bc4097aaSchristosIPv6: 70*bc4097aaSchristos----- 71*bc4097aaSchristos* NAT is yet not available, either as a null proxy or address translation 72*bc4097aaSchristos 73*bc4097aaSchristosBSD: 74*bc4097aaSchristos* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is. 75*bc4097aaSchristos 76*bc4097aaSchristosSolaris: 77*bc4097aaSchristos* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are. 78*bc4097aaSchristos 79*bc4097aaSchristosTru64: 80*bc4097aaSchristos------ 81*bc4097aaSchristos* IPv6 checksum calculation for RST's and ICMP packets is not done (there 82*bc4097aaSchristos are routines in the Tru64 kernel to do this but what is the interface?) 83*bc4097aaSchristos 84*bc4097aaSchristosdoes bimap allow equal sized subnets? 85*bc4097aaSchristos 86*bc4097aaSchristosmake return-icmp 'intelligent' if no type is given about what type to use? 87*bc4097aaSchristos 88*bc4097aaSchristosreply-to - enforce packets to pass through interfaces in particular 89*bc4097aaSchristoscombinations - opposite to "to", set reverse path interface 90*bc4097aaSchristos 91