Recent changes to feature-requests

#319 Mikrotik support

Michael Speth — Tue, 12 Jul 2016 07:52:01 -0000

I'm also interested!

#319 Mikrotik support

dadenson — Thu, 10 Mar 2016 15:55:53 -0000

I'd love to see this. I have a large number of mikrotik routers and keeping firewall rules tight between them is a bit of a chore.

Automatic packet queueing rules for PF

bananabr — Mon, 28 Sep 2015 14:05:14 -0000

Hi,

Is there any development guide so I can try to implement automatic queueing rules for PF?

Thanks,

Use Kernel Timezone in Time Module

Heiri Müller — Thu, 09 Jul 2015 14:49:14 -0000

The time module has the following options:

iptables -m time --help

[…]

time match options:
--datestart time Start and stop time, to be given in ISO 8601
--datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]])
--timestart time Start and stop daytime (hh:mm[:ss])
--timestop time (between 00:00:00 and 23:59:59)
[!] --monthdays value List of days on which to match, separated by comma
(Possible days: 1 to 31; defaults to all)
[!] --weekdays value List of weekdays on which to match, sep. by comma
(Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7
Defaults to all weekdays.)
--kerneltz Work with the kernel timezone instead of UTC

All except two of these options are usable from FWBuilder. One of the not accessibles is the timezone: "kerneltz".
This is quite important for everybody, not living in the UTC zone.
And it would be easy to implement: Just add a checkbox "Use Kernel Timezone [YES/NO]" and then translate or not this into:

-m time --timestart 01:23 --timestop 23:45 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz

or not:

-m time --timestart 01:23 --timestop 23:45 --weekdays Mon,Tue,Wed,Thu,Fri

Thanks for all what you did so far!

IPTables Packet Length Module

Philip Mötteli — Fri, 21 Nov 2014 09:35:47 -0000

Thanks for your great product!
I would need IPTables "-m length --length" module.
I think this module is important to have.

Thanks

ipv6-ipv6 nat support

Robert Bossecker — Sun, 12 Jan 2014 16:15:34 -0000

The current linux kernels contain the long awaited possibility to nat ipv6<->ipv6

It would be very useful to support port-natting in SNAT/DNAT, masquerading, static ipv6 mappings, user or group match SNAT ...

Mikrotik support

Frederic Hermann — Tue, 15 Oct 2013 16:18:20 -0000

Well, I don't know if the project is still maintained here but ... I would like to know if there is any plan to include Mikrotik (http://www.mikrotik.com) support in fwbuilder.

Mikrotik RouterOS is embedded linux, and the firewall is netfilter, but with a different syntax than the standard iptables.

The syntax is described here:
Filter table: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
NAT table: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
Mangle table: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle

Packet flow is described in details here:
IPv4: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
IPv6: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

I could probably contribute, if given some support on the existing architecture from existing developpers, but don't have much available time, so any help would be appreciated.

#293 Advanced routing table

Brian Ronald — Fri, 26 Apr 2013 13:48:27 -0000

Integration of policy rules and routing tables would be very helpful indeed.

ipset support

Wilco Baan Hofman — Sun, 20 Jan 2013 01:58:27 -0000

Add ipset support for table lookup of groups of IP addresses instead of creating a sequentially-parsed separate rule for every address.

This increases routing performance significantly.

stateless filtering with --syn

Wilco Baan Hofman — Sun, 20 Jan 2013 01:27:40 -0000

Hi,

I'd like to test for TCP flags in a firewall rule. I always *disable* connection tracking and filter based on TCP flags.

So, three things I need:
1. Allow me to disable xt_conntrack kernel module
2. Allow me to do --syn on outbound rules and ! --syn on inbound rules with the service as the source
3. A service can also be a source

Or better yet, combine the last two into the default for stateless filtering for iptables. I don't want anybody with a service source port like 22 (possible!) to connect to all of my services, but I don't want to keep state in my ipv6 firewall.