Features	Linux iptables / netfilter	Linux ipfwadm	Linux ipchains	CheckPoint FW-1	IP Filter	FreeBSD IPFW	PF 
filter in/out based on Layer 3 and 4 headers 	-	-	-	-	-	-	-
filter TCP/UDP by a port number range 	-	-	-	-	-	-	-
filter ICMP by a type/code 	-	-	-	-	-	-	-
filter "established" TCP packets 	-	-	-	-	-	-	-
filter on TCP flags 	-	-	-	-	-	-	-
filter IP fragments	-	-	-	-	Y 	-	-
filter IP short fragments	-	-	-	-	Y 	-	-
filter based on IP Options	-	-	-	-	Y 	-	-
stateful connection tracking for TCP 	-	-	-	-	-	-	-
stateful connection tracking for UDP 	-	-	-	-	-	-	-
stateful connection tracking for ICMP 	-	-	-	-	-	-	-
specify state timeouts for all phases of a TCP connection 	-	-	-	-	-	-	-
distinguish between interfaces 	-	-	-	-	-	-	-
match on any protocol 	-	-	-	-	-	-	-
match bridged packets	-	-	-	-	-	Y	-
match packets from a user UID	-	-	-	-	-	Y	Y
match packets from a group GID	-	-	-	-	-	Y	Y
network address translation 	-	-	-	-	-	-	-
redirection for transparent proxies 	-	-	-	-	-	-	-
provide packet header details to outside programs for authentication	-	-	-	-	Y	-	- 
send back ICMP error for denied packets 	-	-	-	-	-	-	-
send back TCP reset for denied packets 	-	-	-	-	-	-	-
silently block packets 	-	-	-	-	-	-	-
IP accounting 	-	-	-	-	-	-	-
fragment caching/checking 	-	-	-	-	-	-	-
apply different policies to different users 	-	-	-	-	-	-	-
high availability with failover 	-	-	-	-	-	-	-
packet prioritization 	-	-	-	-	-	-	-
traffic shaping 	-	-	-	-	-	-	-
normalizing TCP/IP traffic 	-	-	-	-	-	-	-
invisibly classify packets based on source operating system 	-	-	-	-	-	-	-
load balancing 	-	-	-	-	-	-	-
modulate TCP sequence numbers 	-	-	-	-	-	-	-
user-defined macros or variables 	-	-	-	-	-	-	-
address lists (tables) that can be modified in real-time 	-	-	-	-	-	-	-
sub-rulesets / dynamic rulesets 	-	-	-	-	-	-	-
applying a tag to a packet for policy-based filtering 	-	-	-	-	-	-	-
state table changes available in real-time 	-	-	-	-	-	-	-
state table changes available over network (to other firewalls for example) 	-	-	-	-	-	-	-
logging packet headers 	-	-	-	-	-	-	-
logging TCP/UDP/ICMP headers	-	-	-	-	Y 	-	-
logging at least some of packet data	-	-	-	-	Y 	-	-
specific logging on matching packet	-	-	-	-	Y 	-	-
log to file 	-	-	-	-	-	-	-
log to console 	-	-	-	-	-	-	-
log to syslog 	-	-	-	-	-	-	-
tcpdump can be used to analyze logging 	-	-	-	-	-	-	-
statistics for packet processing 	-	-	-	-	-	-	-
allow testing with sample packets	-	-	-	-	Y 	-	-
command-line interface 	-	-	-	-	-	-	-
graphical management console (like X11) 	-	-	-	-	-	-	-
web-based interface 	-	-	-	-	-	-	-
rule evaluation optimization 	-	-	-	-	-	-	-
configuration aliases (built-in) 	-	-	-	-	-	-	-
normal usage is per rule	Y	Y	Y	-	N	Y	N
normal usage is per entire ruleset	N	N	N	-	Y	N	Y
has active and inactive rulesets	-	-	-	-	Y	-	-
has default rule	-	-	-	-	-	Y	-