Design Philosophy
Secure, robust packet filtering

stateful tracking based on Guido van Rooij's paper:
http://www.madison-gurkha.com/publications/tcp_filtering/

Packet normalisation

Filtering on all the normal things, and some abnormal things

Many DoS mitigation techinques

Failover support via CARP, pfsync
IPSec failover via pfsync and sasyncd