Re: The way forward

From: Darren Reed (
Date: 02/05/03

From: Darren Reed <>
To: (Nicholas Esborn)
Date: Thu, 6 Feb 2003 06:31:50 +1100 (Australia/ACT)

In some mail from Nicholas Esborn, sie said:
> Pf seems to scale better than netfilter/iptables, ipfw, or ipf. Other
> than reading through OpenBSD's pf documentation, I found a paper at:

I'm pretty sure I could 'tune' ipfilter to be just as fast or faster
than pf. I have some clues about why it's slower - the author of the
paper doesn't (AFAIK) but I'm not in a rush to fix this.

> I also like that you can use macros in its config files, and that it
> automatically structures your ruleset for you to some extent (I think
> this obsoletes head/group in ipf).

But they've now gone and added anchors. groups are useful in ways
beyond just optimising rule processing.

> And you can use lists for ports or protocols.
> For example:
> wi_if = "hme1"
> wi_ip = ""
> wi_net = ""
> scrub in on $wi_if all
> pass in log quick on $wi_if proto udp from $wi_net to $wi_ip \
> port {domain, bootpc, bootps, 5000} keep state

Whether or not this is good or not is another thing.

It obfuscates validating the kernel rules loaded with the
configuration file you have in /etc.

> I find pf to be as much of an improvement over ipf as I found ipf to
> be an over ipfw. And of course, there's less possibility of licensing
> surprises, because of OpenBSD's nearly militant adherence to the
> BSD license.
> Sadly, most of the discussion I've seen here about pf on FreeBSD is
> basically "Why would we need another packet filter?"

Oh, IPFilter 4.0 will probably address all of your concerns and even
go beyond what pf is currently providing. I suspect there is a certain
amount of feature emulation currently happening (both ways). You just
hear more about pf than ipf unless you're on the ipf list - there is
currently no summary of "what's new" in 4.0 and it's kinda deliberate
like that so there's no easy shopping list for someone to copy before
I release it :)


To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message