Features |
Linux iptables / netfilter |
Linux ipfwadm |
Linux ipchains |
CheckPoint FW-1 |
IP Filter |
FreeBSD IPFW |
PF
|
filter in/out based on Layer 3 and 4 headers |
- |
- |
- |
- |
- |
- |
-
|
filter TCP/UDP by a port number range |
- |
- |
- |
- |
- |
- |
-
|
filter ICMP by a type/code |
- |
- |
- |
- |
- |
- |
-
|
filter "established" TCP packets |
- |
- |
- |
- |
- |
- |
-
|
filter on TCP flags |
- |
- |
- |
- |
- |
- |
-
|
filter IP fragments |
- |
- |
- |
- |
Y |
- |
-
|
filter IP short fragments |
- |
- |
- |
- |
Y |
- |
-
|
filter based on IP Options |
- |
- |
- |
- |
Y |
- |
-
|
stateful connection tracking for TCP |
- |
- |
- |
- |
- |
- |
-
|
stateful connection tracking for UDP |
- |
- |
- |
- |
- |
- |
-
|
stateful connection tracking for ICMP |
- |
- |
- |
- |
- |
- |
-
|
specify state timeouts for all phases of a TCP connection |
- |
- |
- |
- |
- |
- |
-
|
distinguish between interfaces |
- |
- |
- |
- |
- |
- |
-
|
match on any protocol |
- |
- |
- |
- |
- |
- |
-
|
match bridged packets |
- |
- |
- |
- |
- |
Y |
-
|
match packets from a user UID |
- |
- |
- |
- |
- |
Y |
Y
|
match packets from a group GID |
- |
- |
- |
- |
- |
Y |
Y
|
network address translation |
- |
- |
- |
- |
- |
- |
-
|
redirection for transparent proxies |
- |
- |
- |
- |
- |
- |
-
|
provide packet header details to outside programs for authentication |
- |
- |
- |
- |
Y |
- |
-
|
send back ICMP error for denied packets |
- |
- |
- |
- |
- |
- |
-
|
send back TCP reset for denied packets |
- |
- |
- |
- |
- |
- |
-
|
silently block packets |
- |
- |
- |
- |
- |
- |
-
|
IP accounting |
- |
- |
- |
- |
- |
- |
-
|
fragment caching/checking |
- |
- |
- |
- |
- |
- |
-
|
apply different policies to different users |
- |
- |
- |
- |
- |
- |
-
|
high availability with failover |
- |
- |
- |
- |
- |
- |
-
|
packet prioritization |
- |
- |
- |
- |
- |
- |
-
|
traffic shaping |
- |
- |
- |
- |
- |
- |
-
|
normalizing TCP/IP traffic |
- |
- |
- |
- |
- |
- |
-
|
invisibly classify packets based on source operating system |
- |
- |
- |
- |
- |
- |
-
|
load balancing |
- |
- |
- |
- |
- |
- |
-
|
modulate TCP sequence numbers |
- |
- |
- |
- |
- |
- |
-
|
user-defined macros or variables |
- |
- |
- |
- |
- |
- |
-
|
address lists (tables) that can be modified in real-time |
- |
- |
- |
- |
- |
- |
-
|
sub-rulesets / dynamic rulesets |
- |
- |
- |
- |
- |
- |
-
|
applying a tag to a packet for policy-based filtering |
- |
- |
- |
- |
- |
- |
-
|
state table changes available in real-time |
- |
- |
- |
- |
- |
- |
-
|
state table changes available over network (to other firewalls for example) |
- |
- |
- |
- |
- |
- |
-
|
logging packet headers |
- |
- |
- |
- |
- |
- |
-
|
logging TCP/UDP/ICMP headers |
- |
- |
- |
- |
Y |
- |
-
|
logging at least some of packet data |
- |
- |
- |
- |
Y |
- |
-
|
specific logging on matching packet |
- |
- |
- |
- |
Y |
- |
-
|
log to file |
- |
- |
- |
- |
- |
- |
-
|
log to console |
- |
- |
- |
- |
- |
- |
-
|
log to syslog |
- |
- |
- |
- |
- |
- |
-
|
tcpdump can be used to analyze logging |
- |
- |
- |
- |
- |
- |
-
|
statistics for packet processing |
- |
- |
- |
- |
- |
- |
-
|
allow testing with sample packets |
- |
- |
- |
- |
Y |
- |
-
|
command-line interface |
- |
- |
- |
- |
- |
- |
-
|
graphical management console (like X11) |
- |
- |
- |
- |
- |
- |
-
|
web-based interface |
- |
- |
- |
- |
- |
- |
-
|
rule evaluation optimization |
- |
- |
- |
- |
- |
- |
-
|
configuration aliases (built-in) |
- |
- |
- |
- |
- |
- |
-
|
normal usage is per rule |
Y |
Y |
Y |
- |
N |
Y |
N
|
normal usage is per entire ruleset |
N |
N |
N |
- |
Y |
N |
Y
|
has active and inactive rulesets |
- |
- |
- |
- |
Y |
- |
-
|
has default rule |
- |
- |
- |
- |
- |
Y |
-
|
Features |
Linux iptables / netfilter |
Linux ipfwadm |
Linux ipchains |
CheckPoint FW-1 |
IP Filter |
FreeBSD IPFW |
PF
|