Sshguard monitors services through their logging activity. It reacts to messages about dangerous activity by blocking the source address with the local firewall. Sshguard employs a clever parser that can transparently recognize several logging formats at once (syslog, syslog-ng, metalog, multilog, raw messages), and detects attacks for many services out of the box, including SSH, several ftpds, and dovecot. It can operate all the major firewalling systems, and features support for IPv6, whitelisting, suspension, and log message authentication.
m0n0wall is an all-in-one firewall software package that is based on FreeBSD. It is geared towards embedded PCs, but it also works on standard PCs. It includes an easy-to-use Web interface like commercial firewall boxes do. PHP is used instead of shell scripts, and the entire system configuration is stored in a single XML-formatted file. There is support for VPN, traffic shaping, captive portal, VLANs, and more.
The MiniUPnP project is a library and a daemon. The library is aimed to enable applications to use the capabilities of a UPnP Internet Gateway Device present on the network to forward ports. The daemon adds the UPnP Internet Gateway Device functionality to a NAT gateway running OpenBSD/NetBSD/FreeBSD/Solaris with PF/IPF or Linux 2.4.x/2.6.x with netfilter. One of its most interesting features is to enforce some permissions to allow or deny redirections, bringing some security to UPnP. Newer versions also support the NAT-PMP protocol from Apple.
SOHT (Socket over HTTP Tunneling) allows you to tunnel socket connections through an HTTP proxy. Restrictive firewalls often prohibit all outgoing trafic except for HTTP. This application allows you to tunnel socket connections over the HTTP protocol. This application consists of a server that serves as a proxy and a client which tunnels a socket connection over an HTTP connection to the server. The current server is written in Java, and there are clients in Java and .NET.
IPsec-Tools is a Linux port of the user-space tools from KAME. It includes libipsec (a library with a PF_KEY implementation), setkey (a tool for manipulating and dumping the kernel Security Policy Database and Security Association Database), and racoon (Internet Key Exchange daemon for automatically keying IPsec connections).
flashboot for OpenBSD is a set of makefiles, scripts, and support tools to build an OpenBSD image suitable for booting from read-only media, such as flash memory. The default image (smaller than 5Mb) is an image for a firewall/router with support for IPsec, SSH, IPv4 and IPv6 packet filtering, DHCP (client and server), and PPPoE. This image may be further trimmed or extended by editing the packing list files included in the distribution.
pfflowd is a small daemon which converts real-time state expiry messages from OpenBSD's PF packet filter into Cisco NetFlow datagrams. This allows very fine- grained traffic accounting in conjunction with NetFlow capable tools and places almost no incremental load on a PF firewall.
plugdaemon is a load-balancing "plug" proxy. It allows you to forward TCP connections to one or multiple hosts, using load balancing or failover, and to route the connections through an HTTPS proxy. Access control is done by source interface or by originating IP. Outgoing connections can be bound to a specific IP address.