TODO "firewall-easy ROADMAP"

  + USERCONN does not allow output of icmp 3 (and RST?) in deny connections



Next release:
- check masqueraded redirect support in 2.2 and 2.4
    add config vars as IWWW=0/0 and WWWREDIR=192.168.0.1:8080
    ISMTP, IPOP3, SSHREDIR



Future:
- var support in port in firewall-easy-lib (for $PROTECT_TCP / UDP)
- autodetection of services $PROTECT_TCP = "`list-protect tcp $LOCALNET_IPS`"
- firewall start (up) two times (one at the end of start to detect servers) or
    "firewall-easy onlylo" (startlo) first and "firewall-easy start" later
- Dinamically detected listening high ports with automatic "NO" rule
    This will need some way to skip the port of a process (not by port number)
    to have it open if decided, e.g. named udp port 10xx
- how to open graphic tty with conntrack or firewall-easy-mon
- ip_conntrack_ftp is inside a loop in script and loaded several times
- man firewall-easy.conf (now is selfdocumented)
- restrict user&dest port in USERCONN="named:dns fetchmail:pop3"
- restrict user&source port in USERREPLY="www-data:www postfix:smtp"
- PID -m owner --pid-owner 1234 (number) + autodetection of servers pids
- SESSION -m owner --sid-owner 1234
- RST for auth/ident for certain IP via variable $RST_IDENT (SMTP, FTP, etc...)
- Separate ADSL from DHCP_NOLOG to not log DHCP from ADSL DHCP requests
- web access to firewall-easylist, firewall-easy-mon, firewall-conntrack
- man es
- var to NO MASQ/FORWARD
- firewall-easy list2 list of rules in easy format (as in firewall-easy-lib)
- firewall-easy-report, weekly report of trafic by mail =list counters>0
    + reset counters


Really needed?
- raw drop rules while looking at text tty in: conntrack tty10 and
    firewall-easy-mon tty11
- autodetection of private nets to forbiden: privatenotlocal-nets $ADSL
- firewall-easy nolog (only 2.2 or also 2.4?) to avoid DoS flood of hard disk
    instead of fix config as now
- *f = 2.4 sanity check on accepted packets based on state engine
- Split config by interfaces having them as separated chains and the
    possibility of up and down them (impossible with e.g. ipfwadm)
- 2.4 use ESTABLISHED/RELATED with icmp?
- Close icmp to all except the server (encovered channels)
- Count rule for vpn
- How to apply firewall to network clients allowing intranet services?
- keep packet counters when power off
- Doc Install if ADSL used
- gfirewall-easy package: possible graphical front-end (glade+python) for
 firewall-list, firewall-easylist, firewall-easy-mon


TO TEST MORE:
- Is it possible to log with process pid? or uid? or gid?
- 2.4.20 match by process name: -m owner --cmd-owner process_name
- 2.4.20 limit of clients: -m iplimit --iplimit-above 2 -j REJECT
- TOS is active only during forward?
- insmod ip_nat_ftp needed for masquerade? 
- 2.4 REDIR local does not work (pop3) ***test more***
- 2.4 FORWARD does not work in local, neither with only two PC ***test more***
- rule ">  tcp   HI <> *" is needed for any passive ftp? ***test more***
- try netstat -tunaM (masquerade) in Potato seems to not work on 2.4 kernel
- Sometimes accessing www with 2.4 kernel you will see in the log packets as:
-    DROP->IN=ppp0 OUT= MAC= SRC=194.126.131.164
-    DST=62.37.32.16 LEN=52 TOS=0x10 PREC=0x00 TTL=241 ID=7421 DF
-    PROTO=TCP SPT=80 DPT=1292 WINDOW=33304 RES=0x00 ACK FIN URGP=0
-    Why they are not considered ESTABLISHED?
-   -> sometimes they are scannings


REPORT BUGS:
- 2.4 log does not log owner process name/pid/uid/gid (-m owner) ***test more***
- 2.4 bug TOS iptables ***test more***
- 2.4 iptables bug in ->IP:www in FORWARD and PROXY only numbers allowed in port
- 2.4 bug not allowing to call directly INPUT chain from FORWARD
