1BUGS: 2----- 3* fix "to <ifname>" bug on FreeBSD 2.2.8 4fastroute works 5 6=============================================================================== 7GENERAL: 8-------- 9 10* support redirection like "rdr tun0 0/32 port 80 ..." 11 12* use fr_tcpstate() with NAT code for increased NAT usage security or even 13 fr_checkstate() - suspect this is not possible. 14 15* add another alias for <thishost> for interfaces <thisif>? as well as 16 all IP#'s associated with the box <myaddrs>? 17 18time permitting: 19 20* load balancing across interfaces 21 22* record buffering for TCP/UDP 23 24* modular application proxying 25-done 26 27* allow multiple ip addresses in a source route list for ipsend 28 29* port IP Filter to Linux 30Not in this century. 31 32* document bimap 33 34* document NAT rule order processing 35 36* add more docs 37in progress 38 393.4: 40XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA 41traffic priorization) should be *TOP* in the TO DO list. 42 43* Bandwidth limiting!!! 44maybe for solaris, otherwise "ALTQ" 45* More examples 46* More documentation 47* Load balancing features added to the NAT code, so that I can have 48something coming in for 20.20.20.20:80 and it gets shuffled around between 49internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever. 50- done, stage 1 (round robin/split) 51The one thing that Cisco's PIX has on IPF that I can see is that 52rewrites the sequence numbers with semi-random ones. 53- done 54 55I would also love to see a more extensive NAT. It can choose to do 56rdr and map based on saddr, daddr, sport and dport. (Does the kernel 57module already have functionality for that and it just needs support in 58the userland ipnat?) 59-sort of done 60 61 * intrusion detection 62 detection of port scans 63 detection of multiple connection attempts 64 65 * support for multiple log files 66 i.e. all connections to ftp and telnet logged to 67 a seperate log file 68 69 * multiple levels of log severity with E-mail notification 70 of intrusion alerts or other high priority errors 71 72 * poison pill facility 73 after detection of a port scan, start sending back 74 large packets of garbage or other packets to 75 otherwise confuse the intruder (ping of death?) 76 77IPv6: 78----- 79* NAT is yet not available, either as a null proxy or address translation 80 81BSD: 82* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is. 83 84Solaris: 85* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are. 86 87Tru64: 88------ 89* IPv6 checksum calculation for RST's and ICMP packets is not done (there 90 are routines in the Tru64 kernel to do this but what is the interface?) 91 92does bimap allow equal sized subnets? 93 94make return-icmp 'intelligent' if no type is given about what type to use? 95 96reply-to - enforce packets to pass through interfaces in particular 97combinations - opposite to "to", set reverse path interface 98 99