It is
fully compatible with nftables. The only required is that iptables-nft is installed
Very
secure stateful filtering firewall
It
can be used for both single- and multi(eg. dual)-homed boxes
Plugin
support (to add extra features)
Masquerading
(NAT) and SNAT support
Full
IPv6 support (including IPv4 / IPv6 mixed mode support)
Multiple
external (internet) interfaces
Support
multiroute NAT & SNAT (load balancing over multiple (internet) interfaces)
Port
forwarding (NAT)
Support
MAC address filtering
Support
for DSL/ADSL modems
Support
for PPPoE, PPPoA and bridging modem setups
Support
for static and ISP assigned (DHCP) IPs
Support
for (transparent) proxies
Full
support for DMZ's and DMZ-2-LAN forwarding. You can also use it to isolate your eg. wireless LAN.
(Nmap)(stealth)
portscan detection
Protection
against SYN-flooding (DoS attacks)
Protection
against ICMP-flooding (DoS attacks)
Extensive
user-definable logging with rate limiting to prevent log flooding
Includes
options to optimize your throughput
User
definable open ports, closed ports, trusted hosts, blocked hosts
etc.
Log
& protection options are both highly customizable
Support
for custom iptables rules in a seperate file
It
can be used with chkconfig runlevel system (eg. RedHat/Fedora)
Main
focus on TCP/UDP/ICMP but additional support for *ALL* IP
protocols
IPSEC
support (via plugins for Freeswan and Racoon)
SSH
Brute Force (Cracking) Protection (plugin)
It
works with PoPTop PPTP (http://www.poptop.org)
It
works with UPnP
DRDOS
protection/detection (experimental)
It's
easy to install & configure
And
much more...