SafeSquid is a content filtering proxy server. It supports 'profiled' Internet access, a browser based interface, very fast throughput, DNS caching, content caching, pre-fetching, bandwidth control, virus scanning, ICP, CARP, and ICAP clients, source, target, and time-based granular firewall style rules to allow or deny content like music, videos, Flash and Java applets, messengers, chats, cookies, ActiveX, scripts, etc., remote authentication, real-time text and image analysis for blocking pornography, and an URL filter.
360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate, and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA, or ScreenOS commands. It is all contained in one file. It can read policy and logs for: Checkpoint FW1 (in odumper.csv / logexport format), Netscreen ScreenOS (in get config / syslog format), and Cisco ASA (show run / syslog format). It uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalization at the same time as removing unused connectivity. It supports policy to log association, object translation, rulebase reordering and simplification, rule moves, and duplicate matching automatically. It allows you to seamlessly move rules to where you need them. 'print' mode creates a spreadsheet for your audit needs with one command.
FIAIF is an Intelligent Firewall. It provides a highly customizable script for setting up an iptables-based firewall. Configuration is done through one configuration file for each network to which the firewall is connected. FIAIF supports masquerading, port forwarding, traffic shaping, and more.
conntrack-tools is a set of userspace tools for Linux that allow system administrators to interact with the Connection Tracking System, the module which provides stateful packet inspection for iptables. It includes the userspace daemon conntrackd and the commandline interface conntrack.
PHREL is a per host rate limiter. It will track the rate of incoming traffic on a server and insert a chain into iptables when a configured threshold is crossed. The inserted chain may either rate limit or block the offending host for a period of time. The inserted chain is automatically removed when the offending host's traffic levels return to normal. PHREL is particularly well suited to protecting nameservers (DNS) from random hosts that flood requests, and to preventing SSH brute force login attempts.
LFT (Layer Four Traceroute) is a sort of "traceroute" that often works much faster than the commonly-used Van Jacobson method and goes through many configurations of packet-filter based firewalls. More importantly, LFT implements numerous other features, including TCP, UDP, or ICMP-based traces, AS number lookups through several reliable sources, loose source routing, netblock name lookups, and more. LFT also distinguishes between layer-4 protocols, which make its statistics slightly more realistic, and gives a savvy user the ability to trace protocol routes, not just layer-3 hops.