- Stateful packet filtering (connection tracking), works for ICMP and UDP as well as TCP connections
- All kinds of network address translation
- Flexible and extensible infrastructure
- Uses NAT and masquerading for sharing internet access over a single IP
- Uses the iproute2 system used to build sophisticated QoS routers
- Packet manipulation (mangling) like altering the TOS field in the IP header
- Protection from known attacks like SYN-floods, Ping-of-Death, NMAP/XMAS,Furtive Stealth port scanners, Denial of Service (DOS) attacks and the like
- Rate-limited connection and logging capability for bandwidth throttling and prevention of logs being flooded, as happened in the Jolt2 DOS attacks
- Ability to filter on TCP flags and TCP options, and also MAC addresses
- Simplified redirection to forward connections to back-end servers such as email or web servers located behind the firewall
- Portsentry Intruder Alert and blocking system.
|