compiler can generate code that responds with different ICMP messages or sends TCP RST for the Reject action
compiler can process rules that are associated with interfaces and match
packets going in specified direction, as well as with rules that are
not associated with any interface. For the latter, it automatically
determines interface the rule should be asosciated with
compiler can process rules with negation even if multiple objects or groups are negated
compiler supports logging
generated ipf and ipnat configuration files are well structured and
commented: each group of commands has a comment that tells what rule
in the GUI it implements. It also includes a custom comment added for that
rule in the GUI
Advanced features:
compiler can detect many common errors in the objects and policy and NAT rules
compiler can detect rule “shadowing”
by default, each rule uses “keep state” and matches only “new” packets.
This can be turned off on a per-rule basis to get rules that ignore state.
compiler can use two models for the generated ipfilter configuration:
it can generate rules for inbound and outbound packets, or it can permit
all outbound packets and only generate rules for inbound ones. The
choice of the model is controlled by the option in the GUI.
compiler performs optimization of the generated ipf and ipnat configuration
scripts and can find and eliminate duplicate rules.
Special and additional types of objects:
compiler supports “Address range” object
compiler supports “custom” service object. This type of the object
provides a way of inserting of arbitrary code to the generated ipfilter configuration files.
Logging:
options for logging can be set both globally and for individual rules
Special types of rules:
compiler supports special case when empty group is used in
the policy rule (this is useful when one needs to control access to/from a group of hosts
which may change and sometimes becomes empty - compiler may automatically
disable the rule if the group becomes empty).
Interfaces:
compiler supports interfaces with dynamic address, as well as unnumbered
interfaces (the latter can never have IP address but may have rules associated with them)
compiler can configure actual interfaces of the firewall using
addresses of the firewall object as it is configured in the GUI
NAT:
generated script can automatically add virtual (“alias”) address to
the interface of the firewall for NAT rules that do not use existing
address that belong to it. This is needs to be done so that firewall
will answer ARP queries for that address.
compiler supports NAT rules that define no translation (“no nat” rules)