Most recent edit on 2008-03-28 05:33:45 by ScottLambert
Additions:
For example option tftp-server-name and option bootfile-name including $MAC Variable for configuring e.g. VoIP telephony devices
* This would be really useful to let people make plugins for things like automatic port opening for VoIP services, IM file transfers, and games.
A system to daily send a backup of all configuration files.
Deletions:
For example option tftp-server-name and option bootfile-name including $MAC Variable for configuring e.g. VoiP telephony devices
* This would be really useful to let people make plugins for things like automatic port opening for VOIP services, IM file transfers, and games.
A system to daily send an backup of all configuration files.
Edited on 2008-01-29 16:54:16 by IngmarHupp
Additions:
OpenVPN LDAP authentication
The option to use an LDAP directory server to authenticate OpenVPN users (in addition to certificates). Could be done either via http://dpw.threerings.net/projects/openvpn-auth-ldap/∞ or per OpenVPN's "auth-user-pass-verify" option and a small script that checks against LDAP and outputs an appropriate exit code. Either way it would require some sort of LDAP lib (probably OpenLDAP).
Edited on 2007-10-16 02:22:51 by RichardBarrington [Added request for ZFS support if/when FreeBSD 7 is used.]
Additions:
ZFS Support
http://wiki.freebsd.org/ZFS∞
http://www.opensolaris.org/os/community/zfs/whatis/∞
This has recently been introduced to FreeBSD 7, so would be useful for the dynamic parts of the filesystem (squid, ftp, logging, and so on). Perhaps if/when PFSense migrates to the newer kernel, this could be supported.
Edited on 2007-10-16 01:58:33 by RichardBarrington
Additions:
USB driver support and motion detection to only record/transmit when there is something interesting going on.
Pattern compatibility with L7-filter for IPTables on Linux might be useful. http://l7-filter.sourceforge.net/∞
Edited on 2007-10-11 21:51:23 by ChrisBuechler
Deletions:
sipproxd
Edited on 2007-10-11 21:50:10 by ChrisBuechler
Additions:
sipproxd
Deletions:
asterisk voip gateway
siproxd supports phone registration and NAT traversal, including upstream proxy/gateway forwarding.
Edited on 2007-10-11 00:22:13 by ChrisBuechler
Deletions:
One feature thats keeping me from deploying pfSense on a wider scale is lack of support for either PCI or USB adsl modems. If I use a bridge whats to stop USERS pluging into that and skipping the firewall!
comment from CMB - if they don't have your PPPoE username and password, or public IP info, or something of that nature, they won't be able to do that successfully. Plus, if people who have physical access to your firewall, you're not protected from those people anyway.
I know most PCI/USB modems (the cheep ones) have a liscence agreement to install the BSD drivers but, could some click through be developed to let people download and install the drivers. This way you don't have to re-distrubute the firmware. The user downloads and installs via a webGUI wizard. All you need then is a setting for PPPoA. This would then set pfSense streets ahead of any rivals.
vsat
* connect using one-way vsat dvb card?
Most of the "one-way" drivers are proprietary, although I'd love to see an open source version. (-GlennPowers)
* two way vsat?
Most of these have dedicated satellite modems with ethernet connections. (-GlennPowers)
Edited on 2007-10-11 00:20:44 by ChrisBuechler
Additions:
Captive portal
Support for multiple interfaces
siproxd supports phone registration and NAT traversal, including upstream proxy/gateway forwarding.
Layer 7 capabilities
For both firewalling and traffic shaping
Deletions:
pre configured LAN & WAN
* any first found interface is set as LAN & and second as WAN
* give LAN an ip (maybe 192.168.1.1 for a start) and WAN using dhcp
* the firewall up and running without any setting required.
* we dont need console in the firewall and we can get it up and running faster. directly from web interface alone.
* we still can change any of these settings, anytime from the web interface.
Captive portal on multiple vlan
We have several community identified by vlan tag. It's imoprtant that pfSense would be able to support captive portal on multiple vlan interface
siproxd supports phone registration and NAT traversal, including upstream proxy/gateway forwarding. Is this sufficient? *ALREADY In packages*
Multiple DynDNS registrations
Instead of the dyndns page having info for a single connection it should have add/delete functionality for multiple records. -DONE IN -HEAD
XEN Virtualization
Layer 7 traffic shaping
Can we please have layer 7 traffic filter like, for example, l7-filter in Linux and in commercial traffic shapers like Packeteer and others.
I'm not really a good coder but if someone could give me an idea on what needs to be done I might give it a go. In terms of routing/firewalling *BSD really needs this (maybe other things have higher priority but this is still really important)
If you are at a debugger prompt (db>) the output of 'trace', 'show pcpu',
'show pcpu 0', and 'show pcpu 1' would probably be useful to the
kernel hackers who can help you (not myself).
failover redundant connection through 2 ISP to 1 pfSense box
Connect 2 different ISP to a 3 NIC box, 2 for WAN and 1 for LAN, with bandwidth addition, and failover if 1 line crashes.
A wonderful feature set to copy is the PePLink found at http://www.peplink.com/productsLoader.php?productName=balance∞
It has a lot more features than I need, but what I'd love to see built into pfSense is the ability to bind separate DNS servers to each WAN connection, and to be more automated than the current OutgoingLoadBalancing technique.
Edited on 2007-09-24 09:58:44 by ThomasA
Additions:
An option to choose if vlan tagged intefaced should be named after the vlan number, or if it should be the next integer value, regardless of the vlan tag, as today. e.g the first vlan interface that is been created, is named vlan1 the second vlan2 the third, vlan3 etc. regardless of the tag the interface have been set to. The naming would be easier to "understand" if the vlans are named after the tag eg tagged with 100 named vlan100 tagged with 2345 named vlan2345.
Deletions:
An option to choose if vlan tagged intefaced should be named after the vlan number, or if it should be the next integer value, regardless of the vlan tag, as today.
Edited on 2007-09-24 09:43:09 by ThomasA
Additions:
config backup by email
A system to daily send an backup of all configuration files.
vlan tagging
An option to choose if vlan tagged intefaced should be named after the vlan number, or if it should be the next integer value, regardless of the vlan tag, as today.
Oldest known version of this page was edited on 2007-08-18 23:52:19 by ChrisBuechler []
Page view:
pfSense Requested Features
pre configured LAN & WAN
* any first found interface is set as LAN & and second as WAN
* give LAN an ip (maybe 192.168.1.1 for a start) and WAN using dhcp
* the firewall up and running without any setting required.
* we dont need console in the firewall and we can get it up and running faster. directly from web interface alone.
* we still can change any of these settings, anytime from the web interface.
Hauskeys OTP Support
Access control using mobile phone based one-time-password system from
http://hauskeys.safehaus.org∞.
Instructions to try it out on an emulator at
http://hauskeys.safehaus.org/Java+Wireless+Toolkit∞
Interface Support
Improved Interface to T1 gear
* t1 / sync serial support -
http://www.daemonnews.org/200003/netgraph.html∞
* t1 and t3 interface support
ADSL Support
One feature thats keeping me from deploying pfSense on a wider scale is lack of support for either PCI or USB adsl modems. If I use a bridge whats to stop USERS pluging into that and skipping the firewall!
comment from CMB - if they don't have your PPPoE username and password, or public IP info, or something of that nature, they won't be able to do that successfully. Plus, if people who have physical access to your firewall, you're not protected from those people anyway.
I know most PCI/USB modems (the cheep ones) have a liscence agreement to install the BSD drivers but, could some click through be developed to let people download and install the drivers. This way you don't have to re-distrubute the firmware. The user downloads and installs via a webGUI wizard. All you need then is a setting for PPPoA. This would then set pfSense streets ahead of any rivals.
vsat
* connect using one-way vsat dvb card?
Most of the "one-way" drivers are proprietary, although I'd love to see an open source version. (-
GlennPowers)
* two way vsat?
Most of these have dedicated satellite modems with ethernet connections. (-
GlennPowers)
support gprs/cdma connection
* similar, but should be better than this: www.koppel.cz/cdmawifi
* universal usb-serial driver for nokia dku5 & compatible cables. global.mobileaction.com/product/product_USB.jsp#Additional
* universal serial modem driver
* easy setup to dial any gprs/cdma connection
* with all these on my laptop, i can carry an instant hotspot wherever me and my laptop goes. even on the road in my car, etc...
If this gets in, I hope conventional dialup gets in too. It would be nice to have this for failover. See below.
pstn modem support
Full pfSense support for modem operations would be cool.
* Dialup failover for WAN (dial-on-connection-fail)
* Dial-on-demand support for dialup-only configurations
* Dial-in server support (PPP server) with customisable rules for pf.
Services
smtp server
local smtp server for faster sending mail and not depend on isp's smtp
allow outbound smtp forwarder to simplify network setup: everything goes to default gw
small local wiki server
* something like
http://didiwiki.org/∞ or
http://sourceforge.net/projects/iowiki∞
* listen only on lan interface.
* so we can publish little instruction on to our lan users like how they should setup their windows to minimize risk etc...
Captive portal on multiple vlan
We have several community identified by vlan tag. It's imoprtant that pfSense would be able to support captive portal on multiple vlan interface
webcam server
additional security to 'watch' our server in case somebody gets their hands on it...
upstream http proxy for firmware upgrade & packages
* in a multi firewall network it will be necessary to download firmware/packages
via http proxy and not directly from pfsense box.
limit access based on radius user
* each user can be set a limit to their access
* limitation can be: time base, bandwidth allowance, total bandwidth used, ports, etc.
* example: user a can access for only 3 hours. user b can used up max 20MB download/upload, user c can only use email, etc...
Image creation
* Add functionality to backup/restore screen to pull down a custom "
FullUpdate" image from a given box.
server packages
i think middle-man.sf.net is a great filtering proxy server and should get into pfsense.
web server, mail server, squid proxy, etc...
it's a waste to have newer pentium4 for firewall only and not running any server...
see redwall for a nice one, but they use linux...
scene: pfSense system running from cf/cd and use harddrive as storage for proxy/mail/web/etc
asterisk voip gateway
siproxd supports phone registration and NAT traversal, including upstream proxy/gateway forwarding. Is this sufficient? *ALREADY In packages*
LDAP for radius user authentication
secure (https) authentication gateway + captive portal
radius billing & accounting
Radius bandwidth settings
inspired from post
http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/11285∞
Mobile l2tp support
http://www.dellroad.org/sl2tps/index∞
Multiple DynDNS registrations
Instead of the dyndns page having info for a single connection it should have add/delete functionality for multiple records. -DONE IN -HEAD
XEN Virtualization
Site to Site IPsec VPN support w/dyndns endpoints
DHCPD Dynamic DNS Updates + Hostnames
Ability to enable the dynamic update feature on the DHCPD server and the ability to add hostnames to each static address or a way to modify the dhcpd config manual.
For example option tftp-server-name and option bootfile-name including $MAC Variable for configuring e.g.
VoiP telephony devices
Layer 7 traffic shaping
Can we please have layer 7 traffic filter like, for example, l7-filter in Linux and in commercial traffic shapers like Packeteer and others.
I'm not really a good coder but if someone could give me an idea on what needs to be done I might give it a go. In terms of routing/firewalling *BSD really needs this (maybe other things have higher priority but this is still really important)
Exchange RPC Publishing
It would be way cool to be able to open port 135 *securely* to let Outlook talk to Exchange from outside the network. Port 135 is also a virus' favorite friend, so it would take filtering the TYPE of RPC traffic to only allow traffic bound for exchange. It would be just as good to do it with Microsoft's RPC over HTTP.
new installer
NewInstaller
If you are at a debugger prompt (db>) the output of 'trace', 'show pcpu',
'show pcpu 0', and 'show pcpu 1' would probably be useful to the
kernel hackers who can help you (not myself).
failover redundant connection through 2 ISP to 1 pfSense box
Connect 2 different ISP to a 3 NIC box, 2 for WAN and 1 for LAN, with bandwidth addition, and failover if 1 line crashes.
A wonderful feature set to copy is the
PePLink found at
http://www.peplink.com/productsLoader.php?productName=balance∞
It has a lot more features than I need, but what I'd love to see built into pfSense is the ability to bind separate DNS servers to each WAN connection, and to be more automated than the current
OutgoingLoadBalancing technique.
Deep Packet Inspection
*
http://en.wikipedia.org/wiki/Deep_packet_inspection∞
* This would be really useful to let people make plugins for things like automatic port opening for VOIP services, IM file transfers, and games.
* Layer four switches rule
email reporting
A system that sends mails with some alerts\reports such as failed login, daily usage, status of loadbalancer, alert for downtime bandwith....