head	1.1;
branch	1.1.1;
access;
symbols
	RELENG_8_4:1.1.1.13.0.30
	RELENG_9_1_0_RELEASE:1.1.1.13
	RELENG_9_1:1.1.1.13.0.28
	RELENG_9_1_BP:1.1.1.13
	RELENG_8_3_0_RELEASE:1.1.1.13
	RELENG_8_3:1.1.1.13.0.26
	RELENG_8_3_BP:1.1.1.13
	RELENG_9_0_0_RELEASE:1.1.1.13
	RELENG_9_0:1.1.1.13.0.24
	RELENG_9_0_BP:1.1.1.13
	RELENG_9:1.1.1.13.0.22
	RELENG_9_BP:1.1.1.13
	RELENG_7_4_0_RELEASE:1.1.1.13
	RELENG_8_2_0_RELEASE:1.1.1.13
	RELENG_7_4:1.1.1.13.0.20
	RELENG_7_4_BP:1.1.1.13
	RELENG_8_2:1.1.1.13.0.18
	RELENG_8_2_BP:1.1.1.13
	RELENG_8_1_0_RELEASE:1.1.1.13
	RELENG_8_1:1.1.1.13.0.16
	RELENG_8_1_BP:1.1.1.13
	RELENG_7_3_0_RELEASE:1.1.1.13
	RELENG_7_3:1.1.1.13.0.14
	RELENG_7_3_BP:1.1.1.13
	RELENG_8_0_0_RELEASE:1.1.1.13
	RELENG_8_0:1.1.1.13.0.12
	RELENG_8_0_BP:1.1.1.13
	RELENG_8:1.1.1.13.0.10
	RELENG_8_BP:1.1.1.13
	RELENG_7_2_0_RELEASE:1.1.1.13
	RELENG_7_2:1.1.1.13.0.8
	RELENG_7_2_BP:1.1.1.13
	RELENG_7_1_0_RELEASE:1.1.1.13
	RELENG_6_4_0_RELEASE:1.1.1.12
	RELENG_7_1:1.1.1.13.0.6
	RELENG_7_1_BP:1.1.1.13
	RELENG_6_4:1.1.1.12.0.12
	RELENG_6_4_BP:1.1.1.12
	RELENG_7_0_0_RELEASE:1.1.1.13
	RELENG_6_3_0_RELEASE:1.1.1.12
	RELENG_7_0:1.1.1.13.0.4
	RELENG_7_0_BP:1.1.1.13
	RELENG_6_3:1.1.1.12.0.10
	RELENG_6_3_BP:1.1.1.12
	RELENG_7:1.1.1.13.0.2
	RELENG_7_BP:1.1.1.13
	RELENG_6_2_0_RELEASE:1.1.1.12
	RELENG_6_2:1.1.1.12.0.8
	RELENG_6_2_BP:1.1.1.12
	v4-1-13:1.1.1.13
	RELENG_5_5_0_RELEASE:1.1.1.10
	RELENG_5_5:1.1.1.10.0.14
	RELENG_5_5_BP:1.1.1.10
	RELENG_6_1_0_RELEASE:1.1.1.12
	RELENG_6_1:1.1.1.12.0.6
	RELENG_6_1_BP:1.1.1.12
	RELENG_6_0_0_RELEASE:1.1.1.12
	RELENG_6_0:1.1.1.12.0.4
	RELENG_6_0_BP:1.1.1.12
	RELENG_6:1.1.1.12.0.2
	RELENG_6_BP:1.1.1.12
	RELENG_5_4_0_RELEASE:1.1.1.10
	v4-1-8:1.1.1.11
	RELENG_5_4:1.1.1.10.0.12
	RELENG_5_4_BP:1.1.1.10
	RELENG_4_11_0_RELEASE:1.1.1.8.2.2
	RELENG_4_11:1.1.1.8.2.2.0.12
	RELENG_4_11_BP:1.1.1.8.2.2
	RELENG_5_3_0_RELEASE:1.1.1.10
	RELENG_5_3:1.1.1.10.0.10
	RELENG_5_3_BP:1.1.1.10
	RELENG_5:1.1.1.10.0.8
	RELENG_5_BP:1.1.1.10
	v3-4-35:1.1.1.10
	RELENG_4_10_0_RELEASE:1.1.1.8.2.2
	RELENG_4_10:1.1.1.8.2.2.0.10
	RELENG_4_10_BP:1.1.1.8.2.2
	RELENG_5_2_1_RELEASE:1.1.1.10
	RELENG_5_2_0_RELEASE:1.1.1.10
	RELENG_5_2:1.1.1.10.0.6
	RELENG_5_2_BP:1.1.1.10
	RELENG_4_9_0_RELEASE:1.1.1.8.2.2
	RELENG_4_9:1.1.1.8.2.2.0.8
	RELENG_4_9_BP:1.1.1.8.2.2
	RELENG_5_1_0_RELEASE:1.1.1.10
	RELENG_5_1:1.1.1.10.0.4
	RELENG_5_1_BP:1.1.1.10
	RELENG_4_8_0_RELEASE:1.1.1.8.2.2
	RELENG_4_8:1.1.1.8.2.2.0.6
	RELENG_4_8_BP:1.1.1.8.2.2
	v3-4-31:1.1.1.10
	RELENG_5_0_0_RELEASE:1.1.1.10
	RELENG_5_0:1.1.1.10.0.2
	RELENG_5_0_BP:1.1.1.10
	RELENG_4_7_0_RELEASE:1.1.1.8.2.2
	RELENG_4_7:1.1.1.8.2.2.0.4
	RELENG_4_7_BP:1.1.1.8.2.2
	v3-4-29:1.1.1.10
	RELENG_4_6_2_RELEASE:1.1.1.8.2.2
	RELENG_4_6_1_RELEASE:1.1.1.8.2.2
	RELENG_4_6_0_RELEASE:1.1.1.8.2.2
	v3-4-28:1.1.1.10
	RELENG_4_6:1.1.1.8.2.2.0.2
	RELENG_4_6_BP:1.1.1.8.2.2
	v3-4-27:1.1.1.10
	v3-4-26:1.1.1.10
	v3-4-25:1.1.1.10
	RELENG_4_5_0_RELEASE:1.1.1.8.2.1
	RELENG_4_5:1.1.1.8.2.1.0.6
	RELENG_4_5_BP:1.1.1.8.2.1
	RELENG_4_4_0_RELEASE:1.1.1.8.2.1
	RELENG_4_4:1.1.1.8.2.1.0.4
	RELENG_4_4_BP:1.1.1.8.2.1
	v3-4-20:1.1.1.9
	RELENG_4_3_0_RELEASE:1.1.1.8.2.1
	RELENG_4_3:1.1.1.8.2.1.0.2
	RELENG_4_3_BP:1.1.1.8.2.1
	v3-4-16:1.1.1.9
	rev:1.1.1.9
	RELENG_4_2_0_RELEASE:1.1.1.8.2.1
	v3-4-13:1.1.1.9
	v3-4-12:1.1.1.9
	RELENG_4_1_1_RELEASE:1.1.1.8.2.1
	PRE_SMPNG:1.1.1.9
	v3-4-9:1.1.1.9
	RELENG_4_1_0_RELEASE:1.1.1.8.2.1
	v3-4-8:1.1.1.9
	RELENG_3_5_0_RELEASE:1.1.1.6
	v3_4_4:1.1.1.9
	RELENG_4_0_0_RELEASE:1.1.1.8
	RELENG_4:1.1.1.8.0.2
	RELENG_4_BP:1.1.1.8
	v3_3_8:1.1.1.8
	v3_3_6:1.1.1.8
	RELENG_3_4_0_RELEASE:1.1.1.6
	v3_3_3:1.1.1.7
	RELENG_3_3_0_RELEASE:1.1.1.6
	RELENG_3_2_PAO:1.1.1.6.0.4
	RELENG_3_2_PAO_BP:1.1.1.6
	RELENG_3_2_0_RELEASE:1.1.1.6
	RELENG_3_1_0_RELEASE:1.1.1.6
	RELENG_3:1.1.1.6.0.2
	RELENG_3_BP:1.1.1.6
	RELENG_3_0_0_RELEASE:1.1.1.6
	v3_2_7:1.1.1.6
	v3_2_3:1.1.1.5
	v3_2_1:1.1.1.4
	v3-2-a7:1.1.1.3
	V3_2_A4:1.1.1.2
	ipfilter3_1_8:1.1.1.1
	DARRENR:1.1.1
	ipfilter3_1_7:1.1.1.1
	DARRENREED:1.1.1;
locks; strict;
comment	@# @;


1.1
date	97.02.09.22.49.50;	author darrenr;	state Exp;
branches
	1.1.1.1;
next	;

1.1.1.1
date	97.02.09.22.49.50;	author darrenr;	state Exp;
branches;
next	1.1.1.2;

1.1.1.2
date	97.04.03.10.14.14;	author darrenr;	state Exp;
branches;
next	1.1.1.3;

1.1.1.3
date	97.05.25.15.44.48;	author darrenr;	state Exp;
branches;
next	1.1.1.4;

1.1.1.4
date	97.11.16.04.49.00;	author peter;	state Exp;
branches;
next	1.1.1.5;

1.1.1.5
date	98.03.21.10.01.22;	author peter;	state Exp;
branches;
next	1.1.1.6;

1.1.1.6
date	98.06.20.18.28.32;	author peter;	state Exp;
branches;
next	1.1.1.7;

1.1.1.7
date	99.11.08.20.50.35;	author guido;	state Exp;
branches;
next	1.1.1.8;

1.1.1.8
date	2000.01.13.18.30.13;	author guido;	state Exp;
branches
	1.1.1.8.2.1;
next	1.1.1.9;

1.1.1.9
date	2000.05.24.02.14.17;	author darrenr;	state Exp;
branches;
next	1.1.1.10;

1.1.1.10
date	2002.03.19.11.45.07;	author darrenr;	state Exp;
branches;
next	1.1.1.11;

1.1.1.11
date	2005.04.25.17.30.45;	author darrenr;	state Exp;
branches;
next	1.1.1.12;

1.1.1.12
date	2005.04.25.17.40.37;	author darrenr;	state dead;
branches;
next	1.1.1.13;

1.1.1.13
date	2006.08.16.11.51.27;	author guido;	state Exp;
branches
	1.1.1.13.30.1;
next	;

1.1.1.8.2.1
date	2000.07.19.23.00.46;	author darrenr;	state Exp;
branches;
next	1.1.1.8.2.2;

1.1.1.8.2.2
date	2002.04.27.17.30.27;	author darrenr;	state Exp;
branches;
next	;

1.1.1.13.30.1
date	2006.08.16.11.51.27;	author svnexp;	state dead;
branches;
next	1.1.1.13.30.2;

1.1.1.13.30.2
date	2013.03.28.13.01.20;	author svnexp;	state Exp;
branches;
next	;


desc
@@


1.1
log
@Initial revision
@
text
@* automatically use the interface's IP# for NAT rather than any specific IP#

* use fr_tcpstate() with NAT code for increased NAT usage security or even
  fr_checkstate()

* use minor devices for controlling access to alternate parts of IP Filter
  such as filtering, accounting, state, NAT, etc.

* see if the Solaris2 and dynamic plumb/unplumb problem is solvable

time permitting:

* load balancing across interfaces

* record buffering for TCP/UDP

* modular application proxying

* invesitgate making logging better
@


1.1.1.1
log
@Import IP Filter v3.1.7 into FreeBSD tree
@
text
@@


1.1.1.2
log
@Import IP Filter version 3.2alpha4 to bring in working LKM for 2.2
@
text
@a1 2
 - Done. Use "0/32" as destination address/mask.  Uses first interface IP#
   set for an interface.
a19 6

* add reverse nat (similar to rdr) to map addresses going in both directions

* add 'tail' switch to ipmon
  (this might just be some changes to rdr).  In 1:1 relationships maybe make
  it an option.
@


1.1.1.3
log
@Import version 3.2alpha7
@
text
@d1 4
d6 4
a9 1
  fr_checkstate() - suspect this is not possible.
a19 1
on the way
a22 1
done ?
d24 2
a27 6

* keep fragment information for NAT/state entries automatically.
done

* support traceroute through the firewall

@


1.1.1.4
log
@Import ipfilter 3.2.1 (update from 3.1.8)
@
text
@a4 1
done ?
d15 6
a20 2
* keep fragment information for state entries automatically.
done for NAT
d22 1
a22 2
* support traceroute through the firewall
  (i.e. fix up ICMP errors coming back for NAT)
d25 1
a25 1
* allow multiple ip addresses in a source route list for ipsend
a26 1
* complete Linux port to implement all the IP Filter features
@


1.1.1.5
log
@Import ipfilter 3.2.3
@
text
@a25 11
return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-(

* add switches to ipmon for better selective control over which logs are
  read/not read
done

* add a flag to automate src spoofing

* ipfsync() should change IP#'s in current mappings as well as what's
  in rules.
 
@


1.1.1.6
log
@Import trimmed version of ipfilter 3.2.7.

Obtained from:  Darren Reed via http://cheops.anu.edu.au/~avalon/
@
text
@a36 5
document bimap

document NAT rule order processing

add more docs
@


1.1.1.7
log
@Import of ipfilter 3.3.3  in anticipation of its revival.
More to come in the next days.
@
text
@a0 9
BUGS:
-----
* fix "to <ifname>" bug on FreeBSD 2.2.8
fastroute works

===============================================================================
GENERAL:
--------

d4 3
d19 4
d28 4
d37 1
a37 3
* document bimap

* document NAT rule order processing
d39 1
a39 2
* add more docs
in progress
d41 1
@


1.1.1.8
log
@Import of ipfilter 3.3.6 (freebsd relevant part)

Obtained from:	ftp://coombs.anu.edu.au/pub/net/firewall/ip-filter/ip_fil3.3.6.tar.gz
@
text
@a41 1
* fix up where manual pages go for Solaris2
@


1.1.1.8.2.1
log
@actually commit merged diffs to the trunk
@
text
@d20 4
a23 1
available
a28 1
on hold until rewrite
a30 1
done
a33 1
done
a41 43
3.4:
XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
traffic priorization) should be *TOP* in the TO DO list.

* irc proxy for dcc
* Bandwidth limiting!!!
* More examples
* More documentation
* And did I mention bandwidth limiting???
* Load balancing features added to the NAT code, so that I can have
something coming in for 20.20.20.20:80 and it gets shuffled around between
internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
- done, stage 1 (round robin/split)
The one thing that Cisco's PIX has on IPF that I can see is that
rewrites the sequence numbers with semi-random ones.

I would also love to see a more extensive NAT.  It can choose to do
rdr and map based on saddr, daddr, sport and dport.  (Does the kernel
module already have functionality for that and it just needs support in
the userland ipnat?)

        * intrusion detection 
                detection of port scans 
                detection of multiple connection attempts
                
        * support for multiple log files
                i.e. all connections to ftp and telnet logged to 
                        a seperate log file

        * multiple levels of log severity with E-mail notification
                of intrusion alerts or other high priority errors

        * poison pill facility
                after detection of a port scan, start sending back
                large packets of garbage or other packets to
                otherwise confuse the intruder (ping of death?)

* I ran into your solaris streams stuff and noticed you are
playing with mblk's in an unsafe way.  You seem to be modifying the
underlying datab without checking db_ref.  If db_ref is greater than one,
you'll need to copy the mblk,
- fixed

a42 12


IPv6:
-----
* NAT is yet not available, either as a null proxy or address translation

BSD:
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.

Solaris:
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.

@


1.1.1.8.2.2
log
@Update (finally) IPFilter on RELENG_4 CVS branch.
@
text
@a93 1
fixed.
@


1.1.1.9
log
@Import IP Filter 3.4.4 into FreeBSD-current
@
text
@d20 4
a23 1
available
a28 1
on hold until rewrite
a30 1
done
a33 1
done
a41 43
3.4:
XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
traffic priorization) should be *TOP* in the TO DO list.

* irc proxy for dcc
* Bandwidth limiting!!!
* More examples
* More documentation
* And did I mention bandwidth limiting???
* Load balancing features added to the NAT code, so that I can have
something coming in for 20.20.20.20:80 and it gets shuffled around between
internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
- done, stage 1 (round robin/split)
The one thing that Cisco's PIX has on IPF that I can see is that
rewrites the sequence numbers with semi-random ones.

I would also love to see a more extensive NAT.  It can choose to do
rdr and map based on saddr, daddr, sport and dport.  (Does the kernel
module already have functionality for that and it just needs support in
the userland ipnat?)

        * intrusion detection 
                detection of port scans 
                detection of multiple connection attempts
                
        * support for multiple log files
                i.e. all connections to ftp and telnet logged to 
                        a seperate log file

        * multiple levels of log severity with E-mail notification
                of intrusion alerts or other high priority errors

        * poison pill facility
                after detection of a port scan, start sending back
                large packets of garbage or other packets to
                otherwise confuse the intruder (ping of death?)

* I ran into your solaris streams stuff and noticed you are
playing with mblk's in an unsafe way.  You seem to be modifying the
underlying datab without checking db_ref.  If db_ref is greater than one,
you'll need to copy the mblk,
- fixed

a42 12


IPv6:
-----
* NAT is yet not available, either as a null proxy or address translation

BSD:
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.

Solaris:
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.

@


1.1.1.10
log
@Import IPFilter 3.4.25
@
text
@a93 1
fixed.
@


1.1.1.11
log
@import ipfilter 4.1.8 into the vendor branch
@
text
@a9 2
* support redirection like "rdr tun0 0/32 port 80 ..."

a12 3
* add another alias for <thishost> for interfaces <thisif>? as well as
  all IP#'s associated with the box <myaddrs>?

d20 1
a20 1
-done
d24 11
a34 3
* port IP Filter to Linux
Not in this century.

d46 1
a47 1
maybe for solaris, otherwise "ALTQ"
d50 1
a56 1
- done
a61 1
-sort of done
d79 9
d94 1
a98 12
Tru64:
------
* IPv6 checksum calculation for RST's and ICMP packets is not done (there
  are routines in the Tru64 kernel to do this but what is the interface?)

does bimap allow equal sized subnets?

make return-icmp 'intelligent' if no type is given about what type to use?

reply-to - enforce packets to pass through interfaces in particular
combinations - opposite to "to", set reverse path interface

@


1.1.1.12
log
@these files should never have been imported...they are junk
@
text
@@


1.1.1.13
log
@Import IP Filter 4.1.13
@
text
@@


1.1.1.13.30.1
log
@file todo was added on branch RELENG_8_4 on 2013-03-28 13:01:20 +0000
@
text
@d1 98
@


1.1.1.13.30.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 98
BUGS:
-----
* fix "to <ifname>" bug on FreeBSD 2.2.8
fastroute works

===============================================================================
GENERAL:
--------

* support redirection like "rdr tun0 0/32 port 80 ..."

* use fr_tcpstate() with NAT code for increased NAT usage security or even
  fr_checkstate() - suspect this is not possible.

* add another alias for <thishost> for interfaces <thisif>? as well as
  all IP#'s associated with the box <myaddrs>?

time permitting:

* load balancing across interfaces

* record buffering for TCP/UDP

* modular application proxying
-done

* allow multiple ip addresses in a source route list for ipsend

* port IP Filter to Linux
Not in this century.

* document bimap

* document NAT rule order processing

* add more docs
in progress

3.4:
XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
traffic priorization) should be *TOP* in the TO DO list.

* Bandwidth limiting!!!
maybe for solaris, otherwise "ALTQ"
* More examples
* More documentation
* Load balancing features added to the NAT code, so that I can have
something coming in for 20.20.20.20:80 and it gets shuffled around between
internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
- done, stage 1 (round robin/split)
The one thing that Cisco's PIX has on IPF that I can see is that
rewrites the sequence numbers with semi-random ones.
- done

I would also love to see a more extensive NAT.  It can choose to do
rdr and map based on saddr, daddr, sport and dport.  (Does the kernel
module already have functionality for that and it just needs support in
the userland ipnat?)
-sort of done

        * intrusion detection 
                detection of port scans 
                detection of multiple connection attempts
                
        * support for multiple log files
                i.e. all connections to ftp and telnet logged to 
                        a seperate log file

        * multiple levels of log severity with E-mail notification
                of intrusion alerts or other high priority errors

        * poison pill facility
                after detection of a port scan, start sending back
                large packets of garbage or other packets to
                otherwise confuse the intruder (ping of death?)

IPv6:
-----
* NAT is yet not available, either as a null proxy or address translation

BSD:
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.

Solaris:
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.

Tru64:
------
* IPv6 checksum calculation for RST's and ICMP packets is not done (there
  are routines in the Tru64 kernel to do this but what is the interface?)

does bimap allow equal sized subnets?

make return-icmp 'intelligent' if no type is given about what type to use?

reply-to - enforce packets to pass through interfaces in particular
combinations - opposite to "to", set reverse path interface

@


