Home > OpenBSD > Porting The PF Stateful Packet Filter

Porting The PF Stateful Packet Filter

  Submitted by KernelTrap OpenBSD 8 Comments

KernelTrap offers an in depth look at the recent efforts to port OpenBSD’s stateful packet filter, pf, to other operating systems. The article includes interviews from Pyun YongHyeon who’s working on the FreeBSD port, pf creator Daniel Hartmeier, pf developer Henning Brauer and OpenBSD creator Theo de Raadt.


In addition to discussing recent porting efforts, the last half of the article focuses on all the new features in pf that will be available with the May 1’st release of OpenBSD 3.3.

About The Author

Eugenia Loli

Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.

Follow me on Twitter @EugeniaLoli

8 Comments

  1. 2003-04-09 3:24 am
    Anonymous

    How does pf compare with iptables?

  2. 2003-04-09 4:22 am
    Anonymous

    I cannot stand IPTables. Coming from the BSD side of the house IPFilters is so much nicer. PF is very similar and beautiful as well.

  3. 2003-04-09 5:16 am
    Anonymous

    Is pf any better than iptables? If yes, anybody porting it (whether the whole thing or as feature ports) to Linux? Iptables/netfilter team?

  4. 2003-04-09 7:22 am
    Anonymous

    i doubt it. these are competitors (pf vs iptables), so i dont think the netfilter team would spend any effort porting pf. it makes their efforts redundant and useless.

  5. 2003-04-09 9:32 am
    Anonymous

    pf has nicer syntax, iptables has better performance.

    If you are building a router or firewall box for just a small network, use openbsd/pf. If high performance is an issue, stick with iptables.

  6. 2003-04-09 12:27 pm
    Anonymous

    >pf has nicer syntax, iptables has better performance.

    i would say its not as cut-and-dried as that. some details and fancy graphs:

    http://www.benzedrine.cx/pf-paper.html

  7. 2003-04-09 1:57 pm
    Anonymous

    > pf has nicer syntax, iptables has better performance.

    As Jemma has pointed out, you should review that comparison. Also note that much development has gone on since that was published (5/2002).

    Iptables’ main performance advantage was due to the lack of true stateful tracking. It uses “connection tracking”, which does not monitor the SID. This functionality is now available via the patch-o-matic, and a proper comparison of filtering with this feature is needed.

    -J.

  8. 2003-04-09 8:28 pm
    Anonymous

    pf has nicer syntax, iptables has better performance.

    If you are building a router or firewall box for just a small network, use openbsd/pf. If high performance is an issue, stick with iptables.

    Opposite here, I find BSD’s IPF, IPFW and PF have the better performance, better control packets and etc than IPChain and IPTables do.