Just some suggestions.

1) Lists be allowed to contain only one value, or none.  Requiring
braces when > 1 value and requiring no braces when <2 values are
present is a pain for automated rule generation and should be very
easy to implement.

2) Sticky queue assignments.  Using tags for many purposes gets klunky.

3) A neutral rule, which doesn't affect pass/block status, but allows
one to assign a queue or assign a tag or what-have-you, orthogonal to
pass/block filtering decisions.  Can be done by placing previous to
your "default deny" and other filtering rules, but makes the "default
deny" rules and such less obvious.

4) A way to specify a network(s) directly attached to an interface,
minus the IP address of the interface itself.  I may want people to be
able to talk to something on my DMZ, but I don't want them to talk to
the IP of my firewall on that DMZ network!  Can be done with tables,
but is probably simple/frequent enough that a new :suffix could be
added for it.

5) Rules symmetric to nat and rdr.  I.E., change dst IP on outbound
packets, change src IP on inbound packets.

6) A way to simulate packets hitting the filter, so that I may create
a regression-test suite for my firewall rules.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Reply via email to