FreshTomato Wiki

The Firewall page allows you to set up some options to protect/facilitate certain network communications.

WAN interfaces respond to ping and traceroute - When enabled this option allows your device to respond to certain ICMP/UDP packets so that a ping and traceroute work from Internet.
Limit communication to: This number imposes a maximum number of requests per seconds. It is advised to set up a limit to prevent DDOS attacks.

Enable TCP SYN cookies - Enabling this will protect the router from SYN Flood attacks via a well known technique called SYN cookies. This technique encodes info from the SYN packet into the responce (SYN/ACK). Please note, despite being a standard technique enabling this option imposes some secondary limitation some old TCP/IP staks might not be easy to handle
Enable DCSP Fix - This enables a work-around for a well-known issue related SCP (packet marking) when connected to the ISP Comcast
IPv6 IPSec Passthrough -

NAT loopback - NAT loopback a.k.a Hairpinning is a well know technique that allows LAN devices to access another LAN device via the WAN interface of your router. This is common practice when calling e.g. the DDNS domain of your router from the LAN for administration purpose. Please note this is somehow a legacy setting an it's probably not needed any more. Also be aware of communication bottleneck introduced by this system on fast connections.
NAT target - Define the way NAT is implemented for the sake of Hairpinning. Masquerade is the default however this involves an additional lookup ad the mapping of done towards an interface. SNAT is faster (if ever measurable) as the NAT mapping point directly to the destination IP hence bypassing the lookup stage.