$Id: TODO,v 1.6 2003/10/07 23:42:17 ktsaou Exp $

The following is a list of features I plan to add to FireHOL,
assuming that my time permits and there is demand for them.

The list appears in the order I'll use:

1.The ability to have multiple versions of the firewall in memory and "activate"
  them on demand. This can be done if each "start" of FireHOL produces all the
  iptables rules in one "numbered" iptables chain (in each build-in table and
  chain) and then switching by "firehol activate 1" and "firehol activate 2".
  This will also solve the issue that FireHOL allows all traffic during firewall
  activation.

  This will also provide a method for dynamic configuration of firehol, so that
  changes would be applied without stopping and restarting the whole firewall.

2.Protections on interfaces should operate only when the firewall is going to
  allow the traffic.
  Now, protections operate on a per network interface basis, before the
  firewall rules, which means that an attacker could just produce a denial of
  service attack on http by SYN-FLOODing port 32000.
  Of course, the attacker can always SYN-FLOOD the http service to make the
  firewall drop temporarily all connections anyway.
  So, this ToDo item is more like a "should be the optimum way", without
  meaning that it is not right now.

3.Extend HELPME to guess network broadcast network addresses too.

4.Bandwidth accounting support per firehol element.

5.Show the currently active connections from the connection tracker
  (like a network top). There are a few other tools for this, but ideally, our
  solution should show the active connections categorized according to firehol
  rules, not iptables rules.
  
6.Protections should be able to applied to each firehol element
  individualy.

7.Support groups of services. Today, an interface or a router is much like
  a group. Ideally, we should also support subgroups that will allow the
  sharing of common protections and src/dst restriction and in the future
  common NAT and bandwidth shapping values.

8.Ideally I would like to achieve a situation where FireHOL
  directives will be something like:
  
  interface eth0 internet maxbw 1Mbps queue-type htb
	server smtp accept	\
		maxbw 128kbps	\
		priority low 	\
		dnat mailhost.domain.com
		
	server http accept	\
		maxbw all	\
		priority med	\
		dnat "1.1.1.1 2.2.2.2" # this is load balancing
	
	client ssh accept priority hi

  I guess the only way to implement this is by making heavy use of the
  MANGLE table and MARKing uniquely each FireHOL rule. This will allow all
  iptables tables (mangle, nat, filter) and iproute to share the same traffic
  categorization (through the MARK id on each packet). Some research has to be
  done to find out if this is possible.

9.  A Web interface for configuring FireHOL.

10. A secure mechanism for centralized control of a large number
    of Linux hosts and routers.

