freebsd-dev/contrib/ipfilter/todo

98 lines
2.8 KiB
Plaintext
Raw Normal View History

BUGS:
-----
* fix "to <ifname>" bug on FreeBSD 2.2.8
fastroute works
===============================================================================
GENERAL:
--------
* use fr_tcpstate() with NAT code for increased NAT usage security or even
1997-05-25 15:45:04 +00:00
fr_checkstate() - suspect this is not possible.
time permitting:
* load balancing across interfaces
* record buffering for TCP/UDP
* modular application proxying
available
1997-05-25 15:45:04 +00:00
* allow multiple ip addresses in a source route list for ipsend
1997-05-25 15:45:04 +00:00
* complete Linux port to implement all the IP Filter features
1998-03-21 10:04:55 +00:00
return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-(
on hold until rewrite
1998-03-21 10:04:55 +00:00
* add a flag to automate src spoofing
done
1998-03-21 10:04:55 +00:00
* ipfsync() should change IP#'s in current mappings as well as what's
in rules.
done
1998-03-21 10:04:55 +00:00
* document bimap
* document NAT rule order processing
* add more docs
in progress
3.4:
XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
traffic priorization) should be *TOP* in the TO DO list.
* irc proxy for dcc
* Bandwidth limiting!!!
* More examples
* More documentation
* And did I mention bandwidth limiting???
* Load balancing features added to the NAT code, so that I can have
something coming in for 20.20.20.20:80 and it gets shuffled around between
internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
- done, stage 1 (round robin/split)
The one thing that Cisco's PIX has on IPF that I can see is that
rewrites the sequence numbers with semi-random ones.
I would also love to see a more extensive NAT. It can choose to do
rdr and map based on saddr, daddr, sport and dport. (Does the kernel
module already have functionality for that and it just needs support in
the userland ipnat?)
* intrusion detection
detection of port scans
detection of multiple connection attempts
* support for multiple log files
i.e. all connections to ftp and telnet logged to
a seperate log file
* multiple levels of log severity with E-mail notification
of intrusion alerts or other high priority errors
* poison pill facility
after detection of a port scan, start sending back
large packets of garbage or other packets to
otherwise confuse the intruder (ping of death?)
* I ran into your solaris streams stuff and noticed you are
playing with mblk's in an unsafe way. You seem to be modifying the
underlying datab without checking db_ref. If db_ref is greater than one,
you'll need to copy the mblk,
- fixed
* fix up where manual pages go for Solaris2
IPv6:
-----
* NAT is yet not available, either as a null proxy or address translation
BSD:
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
Solaris:
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.