compiler can generate code that responds with different ICMP messages or sends TCP RST for the Reject action
compiler automatically determines proper iptables chain and target for the given rule. One rule created in the GUI
may generate multiple iptables commands if necessary.
compiler can process rules that are associated with interfaces and match packets going in specified direction, as well
as with rules that are not associated with any interface.
compiler can process rules with negation even if multiple objects or groups are negated (this requires special
processing because iptables “!” option can not be used when rule
element with negation has multiple objects in it)
compiler supports logging
generated iptables script is well structured and commented: each group of commands has a comment that tells what rule in
the GUI it implements. It also includes a custom comment added for that rule in the GUI
Advanced features:
compiler can detect many common errors in the objects and policy and NAT rules
compiler can detect rule “shadowing”
generated script does sanity checks to make sure that firewall object it has been generated for reflects configuration of
the real firewall machine it is being executed on.
compiler properly handles rules that match on broadcast and multicast addresses
compiler can generate script for the bridging firewall
generated script utilizes “multiport” module. If the rule in the GUI
uses combination of the service objects with different protocols,
the compiler splits the rule onto several subrules, grouping service
objects with the same protocol together and uses “multiport” module
in each subrule if apropriate.
by default, the generated script permits ESTABLISHED and RELATED
packets
in its very first rule. Administrator can turn this off using an option
in the GUI and then use custom service object “ESTABLISHED” to generate
rule for these types of packets.
by default, each rule uses module “state” and matches only “new” packets. This can be turned off
on a per-rule basis to get rules that ignore state.
Special and additional types of objects:
compiler supports “Address range” object
compiler supports time interval objects
compiler supports “custom” service object. This type of the object provides a way of inserting of arbitrary
code to the generated iptables command.
compiler can generate code to match on the MAC addresses of hosts
Logging:
compiler supports logging using LOG as well as ULOG targets
options for logging using LOG and ULOG targets can be set both globally and for individual rules
compiler supports custom log prefix. Prefix can be defined globally, as well as individually foreach rule.
default value for the custom logging prefix is used as a marker so that log entries can easily be matched with rules in the GUI
Special types of rules:
compiler supports special case when empty group is used in
the policy rule (this is useful when one needs to control access to/from a group of hosts
which may change and sometimes becomes empty - compiler may automatically
disable the rule if the group becomes empty).
Interfaces:
compiler supports interfaces with dynamic address, as well as unnumbered
interfaces (the latter can never have IP address but may have rules associated with them)
compiler can configure actual interfaces of the firewall using
addresses of the firewall object as it is configured in the GUI
compiler supports “wildcard” interfaces. This is useful when identical
policy rules need to be associated with multiple interfaces with similar
names, but it is not known beforehand how many interfaces like that can
be active at the same time and what their exact names are going to be
(e.g., firewall may have many ppp interfaces that are coming up and
going down at various times in random combinations)
compiler determines address of dynamic interface at a startup time
compiler can work around situation when dynamic interface is down or
does not have IP address when firewall script is activated. The script
will disable rules associated with that interface but will load the rest
of the policy.
NAT:
compiler emulates “double translation” NAT rule which translates both
source and destination addresses of the packet. This greatly simplifies
configuration for situation called “destination NAT back onto the same subnet”;
generated script can automatically add virtual (“alias”) address to
the interface of the firewall for NAT rules that do not use existing
address that belong to it. This is needs to be done so that firewall
will answer ARP queries for that address.
compiler supports NAT rules that define no translation (“no nat” rules)
compiler supports NAT rules that define translation of the packets
originated on the firewall and choses chain and target properly.