99 lines
2.8 KiB
Plaintext
99 lines
2.8 KiB
Plaintext
BUGS:
|
|
-----
|
|
* fix "to <ifname>" bug on FreeBSD 2.2.8
|
|
fastroute works
|
|
|
|
===============================================================================
|
|
GENERAL:
|
|
--------
|
|
|
|
* use fr_tcpstate() with NAT code for increased NAT usage security or even
|
|
fr_checkstate() - suspect this is not possible.
|
|
|
|
time permitting:
|
|
|
|
* load balancing across interfaces
|
|
|
|
* record buffering for TCP/UDP
|
|
|
|
* modular application proxying
|
|
available
|
|
|
|
* allow multiple ip addresses in a source route list for ipsend
|
|
|
|
* complete Linux port to implement all the IP Filter features
|
|
return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-(
|
|
on hold until rewrite
|
|
|
|
* add a flag to automate src spoofing
|
|
done
|
|
|
|
* ipfsync() should change IP#'s in current mappings as well as what's
|
|
in rules.
|
|
done
|
|
|
|
* document bimap
|
|
|
|
* document NAT rule order processing
|
|
|
|
* add more docs
|
|
in progress
|
|
|
|
3.4:
|
|
XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
|
|
traffic priorization) should be *TOP* in the TO DO list.
|
|
|
|
* irc proxy for dcc
|
|
* Bandwidth limiting!!!
|
|
* More examples
|
|
* More documentation
|
|
* And did I mention bandwidth limiting???
|
|
* Load balancing features added to the NAT code, so that I can have
|
|
something coming in for 20.20.20.20:80 and it gets shuffled around between
|
|
internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
|
|
- done, stage 1 (round robin/split)
|
|
The one thing that Cisco's PIX has on IPF that I can see is that
|
|
rewrites the sequence numbers with semi-random ones.
|
|
|
|
I would also love to see a more extensive NAT. It can choose to do
|
|
rdr and map based on saddr, daddr, sport and dport. (Does the kernel
|
|
module already have functionality for that and it just needs support in
|
|
the userland ipnat?)
|
|
|
|
* intrusion detection
|
|
detection of port scans
|
|
detection of multiple connection attempts
|
|
|
|
* support for multiple log files
|
|
i.e. all connections to ftp and telnet logged to
|
|
a seperate log file
|
|
|
|
* multiple levels of log severity with E-mail notification
|
|
of intrusion alerts or other high priority errors
|
|
|
|
* poison pill facility
|
|
after detection of a port scan, start sending back
|
|
large packets of garbage or other packets to
|
|
otherwise confuse the intruder (ping of death?)
|
|
|
|
* I ran into your solaris streams stuff and noticed you are
|
|
playing with mblk's in an unsafe way. You seem to be modifying the
|
|
underlying datab without checking db_ref. If db_ref is greater than one,
|
|
you'll need to copy the mblk,
|
|
- fixed
|
|
|
|
* fix up where manual pages go for Solaris2
|
|
|
|
|
|
IPv6:
|
|
-----
|
|
* NAT is yet not available, either as a null proxy or address translation
|
|
|
|
BSD:
|
|
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
|
|
fixed.
|
|
|
|
Solaris:
|
|
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
|
|
|