On 2/28/06, Adam Gibson <[EMAIL PROTECTED]> wrote: > - static UDP source ports by default. No need to create special NAT > mappings with pfsense which is cumbersome. This solves problems hosting > game servers(where the master server uses the source port that it > receives from the game server when listing the game server to others. > Note that m0n0wall can't support this at all from all the information I > have found currently because the packet filter in 4.x bsd doesn't > support it. The static-port option was created as a pf feature in some > version of 5.x bsd and not ipf.
I believe that's incorrect. I'm reasonably confident that IPFilter can do static mappings on it's NAT. > - Time rules without needing scripts or cron jobs. Yeah, that's never going to happen in PF, nor should it. Cron was designed to schedule jobs to run, it can do a perfectly adequate job, we just need to write the code. > - conntrack(nat) modules for irc, amanda, netbiosns, and many other > modules to make protocols work or work better by default without needing > helper applications to get them working behind NAT. The NAT modules just aren't there yet as nobody with the skill and desire has written them. I agree that it's a pain, but I personally find the linux filtering engines to be a pain to work with too. > - Ability to pick from a bunch of extra features in patch-o-matic for > even more nat modules and such. sounds scary > - different logging features. Ability to put a text description in > syslog logging messages for firewall rules. Hrm, that may actually already be doable, we just don't expose it. I've got better ideas along these lines anyway. > - Ability to push accept/drop/reject decisions to userspace using ipq. > Imagine a firewall that blocks everything by default and then when you > run the firewall administration web page, any new connections will be > displayed and allow the user to accept or deny it so that the user can > automatically generate rules based on that information. I mainly use > this for creating zonealarm type functionality on Linux currently where > a gui X windows comes up asking the user to allow are reject any > incoming or outgoing connections. There are good reasons to not do that. With that said, it's trivial to do if anyone wants to write the code - I can give plenty of direction on what needs to be done. What you describe can easily be done with tcpdump and a wrapper on it (or a "create rule" button on the denies log page along with a deny further connections button on the states display page). What I just described I'll actually put on my "if you wanted to be a pfSense dev and dunno what to work on" wiki page, it's something I'd consider an "easy" task for someone interested. --Bill
