| Features | Linux iptables / netfilter | Linux ipfwadm | Linux ipchains | CheckPoint FW-1 | IP Filter | FreeBSD IPFW | PF |
| filter in/out based on Layer 3 and 4 headers | - | - | - | - | - | - | - |
| filter TCP/UDP by a port number range | - | - | - | - | - | - | - |
| filter ICMP by a type/code | - | - | - | - | - | - | - |
| filter "established" TCP packets | - | - | - | - | - | - | - |
| filter on TCP flags | - | - | - | - | - | - | - |
| filter IP fragments | - | - | - | - | Y | - | - |
| filter IP short fragments | - | - | - | - | Y | - | - |
| filter based on IP Options | - | - | - | - | Y | - | - |
| stateful connection tracking for TCP | - | - | - | - | - | - | - |
| stateful connection tracking for UDP | - | - | - | - | - | - | - |
| stateful connection tracking for ICMP | - | - | - | - | - | - | - |
| specify state timeouts for all phases of a TCP connection | - | - | - | - | - | - | - |
| distinguish between interfaces | - | - | - | - | - | - | - |
| match on any protocol | - | - | - | - | - | - | - |
| match bridged packets | - | - | - | - | - | Y | - |
| match packets from a user UID | - | - | - | - | - | Y | Y |
| match packets from a group GID | - | - | - | - | - | Y | Y |
| network address translation | - | - | - | - | - | - | - |
| redirection for transparent proxies | - | - | - | - | - | - | - |
| provide packet header details to outside programs for authentication | - | - | - | - | Y | - | - |
| send back ICMP error for denied packets | - | - | - | - | - | - | - |
| send back TCP reset for denied packets | - | - | - | - | - | - | - |
| silently block packets | - | - | - | - | - | - | - |
| IP accounting | - | - | - | - | - | - | - |
| fragment caching/checking | - | - | - | - | - | - | - |
| apply different policies to different users | - | - | - | - | - | - | - |
| high availability with failover | - | - | - | - | - | - | - |
| packet prioritization | - | - | - | - | - | - | - |
| traffic shaping | - | - | - | - | - | - | - |
| normalizing TCP/IP traffic | - | - | - | - | - | - | - |
| invisibly classify packets based on source operating system | - | - | - | - | - | - | - |
| load balancing | - | - | - | - | - | - | - |
| modulate TCP sequence numbers | - | - | - | - | - | - | - |
| user-defined macros or variables | - | - | - | - | - | - | - |
| address lists (tables) that can be modified in real-time | - | - | - | - | - | - | - |
| sub-rulesets / dynamic rulesets | - | - | - | - | - | - | - |
| applying a tag to a packet for policy-based filtering | - | - | - | - | - | - | - |
| state table changes available in real-time | - | - | - | - | - | - | - |
| state table changes available over network (to other firewalls for example) | - | - | - | - | - | - | - |
| logging packet headers | - | - | - | - | - | - | - |
| logging TCP/UDP/ICMP headers | - | - | - | - | Y | - | - |
| logging at least some of packet data | - | - | - | - | Y | - | - |
| specific logging on matching packet | - | - | - | - | Y | - | - |
| log to file | - | - | - | - | - | - | - |
| log to console | - | - | - | - | - | - | - |
| log to syslog | - | - | - | - | - | - | - |
| tcpdump can be used to analyze logging | - | - | - | - | - | - | - |
| statistics for packet processing | - | - | - | - | - | - | - |
| allow testing with sample packets | - | - | - | - | Y | - | - |
| command-line interface | - | - | - | - | - | - | - |
| graphical management console (like X11) | - | - | - | - | - | - | - |
| web-based interface | - | - | - | - | - | - | - |
| rule evaluation optimization | - | - | - | - | - | - | - |
| configuration aliases (built-in) | - | - | - | - | - | - | - |
| normal usage is per rule | Y | Y | Y | - | N | Y | N |
| normal usage is per entire ruleset | N | N | N | - | Y | N | Y |
| has active and inactive rulesets | - | - | - | - | Y | - | - |
| has default rule | - | - | - | - | - | Y | - |
| Features | Linux iptables / netfilter | Linux ipfwadm | Linux ipchains | CheckPoint FW-1 | IP Filter | FreeBSD IPFW | PF |