packet filtering
Allows you to effectively stop / drop / reject any traffic that you do not
either need or want in the first place. With HardWall Firewall there is many
places in which packets are either dropped / logged and or rejected.
network address translation
Allows you to share an IP for connection sharing, or use it for Hosting Services
on a Single IP. Weather it be a 'Static' or 'Dynamic' IP Conenction. HardWall
also allows for DNAT & SNAT on; Single, Multiple & Bridged Interfaced Firewalls.
port redirect & forwarding
Allows you to open ports to be forwarded to internal hosts with IP Sharing.
Also alows you to redirect traffic to different ports, or even services
Like Squid, it can be setup in Tranparent Mode so that all HTTP Traffic
Coming From the internet will go via the Squid Caching Proxy without
the need for the client to have any setting in there web browser.
Dynamic IP Support
Allows you to effectively use a Dynamic IP with HardWall without the need to
modify all your rules accordingly. This is accomplished by using ip-up.local
with ppp(d) style connections and dhcp-exit-hooks for Ethernet and Cable.
These files will update everything as needed when you recieve an new IP Address.
TCP/IP Sysctl Options
HardWall utilises the TCP/IP Sysctl options in the Linux Kernel to disable
unneeded Options and also to Detect (D)enial (o)f (S)ervice attacks,
Source Route(ing) Prevention, Anti Spoof and Smurf Protection, plus more...
IP/MAC Address Protection
Hardwall Firewall allows for the user(s) to potentialy protect there MAC
address and IP Address from being used by someone that is unauthorized...
This is excellent way of helping to protect Wireless and LAN Clients
that maybe Connecting Through or Too the HardWall Firewall ...
Access Control Lists
HardWall provides Access Control Lists, that allow you to add hosts or
netmasks that you may want to Deny, Allow, Upload / Download Quota(s),
Strict Client Access (Access to Certain Ports only) and much more...
Stealth IDENT Control
Allows you to specify Ports of the services that you use, e.g.
FTP, IRC, MAIL and will be able to Reject IDENT Requests Specific
too the inital connection that you had made, so the Service knows
you dont use IDENT without the need to leave TCP Port 113 open ...
Tranparent Bridging Firewall
HardWall can be configured to be a Transparent Bridging Firewall.
Affectively allowing you to overcome unseen Network Design Flaws.
Can be used as a Router and a Bridgeing Firewall Simultaneously.
Active Port Scan Detection
HardWall can be configured to Detect and Prevent Port Scans.
Extremly handy for protecting Your Services and Servers...
This function does require you to patch you kernel though !!!
Peer-2-Peer Network Detection
HardWall can be configured to Detect and Prevent Peer-2-Peer.
Handy to block those anoying people that are not allowed too.
This function does require you to patch you kernel though !!!
MTU & TCP Control
Sometimes people have problems with there ISP Reguarding MTU.
This is Due to Brain Dead ISP's & Network Admins that dont use
TCP Windows Scaling or even worse ICMP Dont Fragment Packets.
This is fixed by Clamping the PMTU on All outbound Traffic.
Samba Logging & Traffic
HardWall can be configured to Log Samba traffic if needed...
It can also be configured to only Allowed in Certain Directions.
Extremly handy for protecting Your Services and Servers !!!
Packet Flow Limiting
HardWall is configured by default to only allow a certain amount
of new connections per second per service, e.g. ICMP, TCP & UDP ...
If your kernel has been patched, you may also Connection Limit ...
Statefull Packet Inspection
HardWall uses Netfilter's Connection Tracking Features, which allows
for NEW, ESTABILISHED, INVALID and other states to be tracked so traffic
intended to pass through the Firewall can be Located and Allowed to flow.
Reserved IPv4 Address Space
HardWall is configured by default to Disable All traffic to and from IP's
that exist in ICAN's Reserved IPv4 Address Space... If you require to use
some of these address's, you can just remove them from the Main Config.
Allthough it will allow the ICAN IPv4 Private Addr Range if you are using
it on the LAN Side. In turn all other Private Ranges will be Disabled ...