compiler can generate code that responds with different ICMP messages or sends TCP RST for the Reject action
compiler can process rules that are associated with interfaces and match
packets going in specified direction, as well as with rules that are
not associated with any interface.
compiler can process rules with negation even if multiple objects or groups are negated
compiler supports logging
generated configuration files are well structured and
commented: each group of commands has a comment that tells what rule
in the GUI it implements. It also includes a custom comment added for that
rule in the GUI
Advanced features:
compiler uses grouping of addresses and protocols using “{” and “}”
in the generated pf configuration file.
compiler can detect many common errors in the objects and policy and NAT rules
compiler can detect rule “shadowing”
generated script does sanity checks to make sure that firewall
object it has been generated for reflects configuration of
the real firewall machine it is being executed on.
by default, each rule uses “keep state” and matches only “new” packets.
This can be turned off on a per-rule basis to get rules that ignore state.
Special and additional types of objects:
compiler supports “Address range” object
compiler supports “custom” service object. This type of the object
provides a way of inserting of arbitrary code to the generated iptables command.
Logging:
options for logging can be set both globally and for individual rules
compiler supports custom log prefix. Prefix can be defined globally,
as well as individually for each rule.
default value for the custom logging prefix is used as a marker so that
statistics entries can easily be matched with rules in the GUI
Special types of rules:
compiler supports special case when empty group is used in the policy rule
(this is useful when one needs to control access to/from a group of hosts
which may change and sometimes becomes empty - compiler may automatically
disable the rule if the group becomes empty).
Interfaces:
compiler supports interfaces with dynamic address, as well as unnumbered
interfaces (the latter can never have IP address but may have rules
associated with them)
compiler can configure actual interfaces of the firewall using
addresses of the firewall object as it is configured in the GUI
NAT:
compiler emulates “double translation” NAT rule which translates both
source and destination addresses of the packet. This greatly simplifies
configuration for situation called “destination NAT back onto the same subnet”
generated script can automatically add virtual (“alias”) address to
the interface of the firewall for NAT rules that do not use existing
address that belong to it. This is needs to be done so that firewall
will answer ARP queries for that address.
compiler supports NAT rules that define no translation (“no nat” rules)