- DONE! break up port range from 1024:65535 to masq/non-masq ports (if masq enabled?)
- DONE! use ipcalc.pl to generalize IP to a routed network (but not netblock on default route), and not a point-to-point link (slx/pppx/plipx)
- DONE! warn if DOCOMMAND incompatible with capabilities of running kernel
- DONE! Don't do processing if non-timestamp parameters equal to previous values.
- DONE! syslog is one way, syslog port to syslog port.
- DONE! do not generalize IP to 0/0 if both source and dest ports are 1024:65535
- DONE! grab additional local IP's (only?) from route -n grep BC and weed out dups
- DONE! caches in /var/...?
- DONE! ssh source port; 1000:1023, then 975:999, 950:974, etc.
- DONE! staticrules env var for ports to block from outside world for all incoming requests.  
  include 2049/tcp,udp, 3128/tcp, 3130/udp, X, xfs.
- DONE! add offending port numbers to comment on high-high connections 
- DONE! no masq port ranges in comment1
- DONE! don't put in tcp ack if both source and dest are servers.
- DONE! env var to choose what name lookup level
- DONE! reload DYN addresses on SIGUSR1.
- DONE! set TOS where appropriate
- DONE! break up ruleshell into runwall and runmason
- DONE! both source staticrules, which has ability to set lots of defaults
- DONE! get flushing to remove logging rulesets if appropriate.
- DONE! add nfs and friends to SSP and SCP lists
- DONE! syslog as an SSP
- DONE! trap Ctrl-C on gui-text, run killall -9 tail
- DONE! ipcalc workaround
- NOT NEEDED! carry along ipcalc/libc5, install if missing.
- DONE! spec file to ./redhat directory
- DONE! pull protocols from /etc/protocols
- DONE! move man pages up
- DONE! use --sport / --dport when addr is 0/0
- DONE! vlock installed?

- explain in documentation to use 0:1023 for "to all servers" range.
(credit to Dave Stern)
- set up documentation for "nolog" chain.  Check for existance at top of mason, 
create if not there, use for ipchains runcommand.
- parameter to set ip->0/0 if no match with /tmp/morehosts or IP ranges
- suggest that users make syslog asynchronous to reduce load
- remind people to set all SERVER ports in /etc/services; no client ports.
- 2401/tcp = cvs?
- button pushing gui to change values in /etc/masonrc
- host->name is a separate button from host -> network and is a fallback
- upgrade nfs-server beta 16 to 37; 16 used different ports.
- contact portmapper for rpc ports.
- gui allows user to add comment line for most recent protocol
- for dns port, if ip is in /etc/resolv.conf/nameserver X, put in rule to host, not net.
...maaaasonnnn eeeeessssss eeeeevillll...uuuuse emmm-esss-proxxxxxeeeeee....
- in docs: NO PORT SCANNING WHILE MASON IS RUNNING!
- 0/0 -> 0/0 packets.... huh?  Have option to put these in or not.
- option to allow standard high port to high port. Sob.
- make sure all host<-> ip's make it into host cache
- only allow incoming DNS from high ports or port 53?
- if an xterm, spit out title bar for Mason-gui-text
- Have icmp echo request as one of the NOINCOMING?
- for syslog machines: have env var to grep:    grep '^[^\W]*\W*[^\W]*\W*[^\W]*\W*tomcat\W'
- handle destination address (only) of 224.x.x.x as /32 - 239.x.x.x
- force deny rule for source address of 224.x.x.x?
- Have some kind of FTP server variable
- diff of pid list to kill
- slackware handling
- caldera
- ipchains-save output format
- poll user for required (but unset) variables at the start.
- reset all DYNIF addresses right before testing for equivalence 

-e:
- check for existence of outputN, etc, before flushing

Cisco:
- DONE! in Cisco output, replace: ppp->S, eth -> E, tr -> To .
- DONE! drop lo and forwarding packets for Cisco, I think.
- in Cisco output, replace: 0/0 -> any (equivalent to 0.0.0.0 255.255.255.255).
- Cisco is default deny if access list exists.
- Cisco prep: 
	no ip access-group DIRLETTERifname
	no access-list DIRLETTERifname
	ip access-list extended DIRLETTERifname  (Can I create a blank one this way and add rules later? Otherwise, start new rules with permit or deny. )
	exit
	interface Ethernet 0
	ip access-group DIRLETTERifname in|out (out is default)
	exit
- remind user for Cisco to use 100-199 if replacing names with numbers
- port in Cisco is _destination_ port
- replace ip 0.0.0.0 with host ip .
- protocol - uppercase?
- lt gt eq neq  a port number
- check that literally the word "log" is used at the end of IOS rules.

TOS: http://www.cis.ohio-state.edu/htbin/rfc/rfc1349.html, esp. Appendix 2.
- 3 high order bits are precedence, next 4 are TOS, last is MBZ (=0)
- 1000 minimize delay
- 0100 maximize throughput
- 0010 maximize reliability
- 0001 minimize monetary cost
- 0000 normal service
- ICMP 3,4,5,11,12 => 0000, rest as needed
- sending and receiving TOS do not need to be equal (ex: max throughput on bulk, minimize delay on responding ACK's)
- I think it only makes sense to set TOS on outgoing packets.

