Re: The way forward

From: Darren Reed (
Date: 02/05/03

From: Darren Reed <>
To: (Nicholas Esborn)
Date: Thu, 6 Feb 2003 06:31:50 +1100 (Australia/ACT)

In some mail from Nicholas Esborn, sie said:
> Pf seems to scale better than netfilter/iptables, ipfw, or ipf. Other
> than reading through OpenBSD's pf documentation, I found a paper at:

I'm pretty sure I could 'tune' ipfilter to be just as fast or faster
than pf. I have some clues about why it's slower - the author of the
paper doesn't (AFAIK) but I'm not in a rush to fix this.

> I also like that you can use macros in its config files, and that it
> automatically structures your ruleset for you to some extent (I think
> this obsoletes head/group in ipf).

But they've now gone and added anchors. groups are useful in ways
beyond just optimising rule processing.

> And you can use lists for ports or protocols.
> For example:
> wi_if = "hme1"
> wi_ip = ""
> wi_net = ""
> scrub in on $wi_if all
> pass in log quick on $wi_if proto udp from $wi_net to $wi_ip \
> port {domain, bootpc, bootps, 5000} keep state

Whether or not this is good or not is another thing.

It obfuscates validating the kernel rules loaded with the
configuration file you have in /etc.

> I find pf to be as much of an improvement over ipf as I found ipf to
> be an over ipfw. And of course, there's less possibility of licensing
> surprises, because of OpenBSD's nearly militant adherence to the
> BSD license.
> Sadly, most of the discussion I've seen here about pf on FreeBSD is
> basically "Why would we need another packet filter?"

Oh, IPFilter 4.0 will probably address all of your concerns and even
go beyond what pf is currently providing. I suspect there is a certain
amount of feature emulation currently happening (both ways). You just
hear more about pf than ipf unless you're on the ipf list - there is
currently no summary of "what's new" in 4.0 and it's kinda deliberate
like that so there's no easy shopping list for someone to copy before
I release it :)


To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow]
    ... But why IPFW? ... IPF is *BSD native wall. ... > hosts.allow file on a FreeBSD Production Server? ... but with no Firewall yet. ...
  • RE: ipfw or ipf?
    ... I run both IPF and IPFW, ... ports(need to be on the same network as the LAN). ... with "unsubscribe freebsd-security" in the body of the message ...
  • RE: inet socket restriction via group (fwd)
    ... Yes, but he said ipf, not ipfw.. ... understandings of what he's saying. ... with "unsubscribe freebsd-security" in the body of the message ...
  • Re: dummynet module?
    ... because ipfw sorts by the explicit rule numbers you supplied, ... function to IPF if you're still concerned about your ipfw rules ... login over the net, or that the system hangs and you can't login from ... check the logs from the console to see what's denying the packets. ...
  • Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow]
    ... They both exist as part of the base FreeBSD ... both ipf and ipfw are "native" to FreeBSD. ... > native firewall, ...