The MiniUPnP project is a library and a daemon. The library is aimed to enable applications to use the capabilities of a UPnP Internet Gateway Device present on the network to forward ports. The daemon adds the UPnP Internet Gateway Device functionality to a NAT gateway running OpenBSD/NetBSD/FreeBSD/Solaris with PF/IPF or Linux 2.4.x/2.6.x with netfilter. One of its most interesting features is to enforce some permissions to allow or deny redirections, bringing some security to UPnP. Newer versions also support the NAT-PMP protocol from Apple.
plugdaemon is a load-balancing "plug" proxy. It allows you to forward TCP connections to one or multiple hosts, using load balancing or failover, and to route the connections through an HTTPS proxy. Access control is done by source interface or by originating IP. Outgoing connections can be bound to a specific IP address.
lsfw (list firewall) helps network administrators deal with firewalling on a huge network. It lists the firewalls rules applied between two points on the network. It uses the configuration of the network equipment and builds a (light) model of the network described by the equipment. This allows probing for access-list matching all over the network, doing routing and firewalling.
m0n0wall is an all-in-one firewall software package that is based on FreeBSD. It is geared towards embedded PCs, but it also works on standard PCs. It includes an easy-to-use Web interface like commercial firewall boxes do. PHP is used instead of shell scripts, and the entire system configuration is stored in a single XML-formatted file. There is support for VPN, traffic shaping, captive portal, VLANs, and more.
Sshguard monitors services through their logging activity. It reacts to messages about dangerous activity by blocking the source address with the local firewall. Sshguard employs a clever parser that can transparently recognize several logging formats at once (syslog, syslog-ng, metalog, multilog, raw messages), and detects attacks for many services out of the box, including SSH, several ftpds, and dovecot. It can operate all the major firewalling systems, and features support for IPv6, whitelisting, suspension, and log message authentication.
SOHT (Socket over HTTP Tunneling) allows you to tunnel socket connections through an HTTP proxy. Restrictive firewalls often prohibit all outgoing trafic except for HTTP. This application allows you to tunnel socket connections over the HTTP protocol. This application consists of a server that serves as a proxy and a client which tunnels a socket connection over an HTTP connection to the server. The current server is written in Java, and there are clients in Java and .NET.
IPsec-Tools is a Linux port of the user-space tools from KAME. It includes libipsec (a library with a PF_KEY implementation), setkey (a tool for manipulating and dumping the kernel Security Policy Database and Security Association Database), and racoon (Internet Key Exchange daemon for automatically keying IPsec connections).