YpFw is a frontend to ipfw and dummynet. It was developed to ease the setting and managing of ipfw rules and dummynet pipes on FreeBSD. It features a curses text interface, which allows the user to add/delete rules, update/clear rules counters, and add/delete/configure pipes. It is not meant as a replacement to ipfw; the user will need to understand ipfw and dummynet rules and syntax.
Amber sits in the tcpserver chain for qmail and implements an "amber list" for incoming mail. This neither accepts nor rejects connections, but implements a number of timing-related tricks to fake out spam and virus software that doesn't implement SMTP correctly. For example, it can defer requests from new IP addresses for a few minutes before it starts passing connections on to smtpd, pause and check for programs that send data before the HELO, and otherwise make things rough for bandit bulk mailers.
lsfw (list firewall) helps network administrators deal with firewalling on a huge network. It lists the firewalls rules applied between two points on the network. It uses the configuration of the network equipment and builds a (light) model of the network described by the equipment. This allows probing for access-list matching all over the network, doing routing and firewalling.
m0n0wall is an all-in-one firewall software package that is based on FreeBSD. It is geared towards embedded PCs, but it also works on standard PCs. It includes an easy-to-use Web interface like commercial firewall boxes do. PHP is used instead of shell scripts, and the entire system configuration is stored in a single XML-formatted file. There is support for VPN, traffic shaping, captive portal, VLANs, and more.
The MiniUPnP project is a library and a daemon. The library is aimed to enable applications to use the capabilities of a UPnP Internet Gateway Device present on the network to forward ports. The daemon adds the UPnP Internet Gateway Device functionality to a NAT gateway running OpenBSD/NetBSD/FreeBSD/Solaris with PF/IPF or Linux 2.4.x/2.6.x with netfilter. One of its most interesting features is to enforce some permissions to allow or deny redirections, bringing some security to UPnP. Newer versions also support the NAT-PMP protocol from Apple.
Sshguard monitors services through their logging activity. It reacts to messages about dangerous activity by blocking the source address with the local firewall. Sshguard employs a clever parser that can transparently recognize several logging formats at once (syslog, syslog-ng, metalog, multilog, raw messages), and detects attacks for many services out of the box, including SSH, several ftpds, and dovecot. It can operate all the major firewalling systems, and features support for IPv6, whitelisting, suspension, and log message authentication.
plugdaemon is a load-balancing "plug" proxy. It allows you to forward TCP connections to one or multiple hosts, using load balancing or failover, and to route the connections through an HTTPS proxy. Access control is done by source interface or by originating IP. Outgoing connections can be bound to a specific IP address.
IPsec-Tools is a Linux port of the user-space tools from KAME. It includes libipsec (a library with a PF_KEY implementation), setkey (a tool for manipulating and dumping the kernel Security Policy Database and Security Association Database), and racoon (Internet Key Exchange daemon for automatically keying IPsec connections).