PF perfomance in freebsd

Jeremy C. Reed reed at reedmedia.net
Tue Mar 11 11:53:58 UTC 2008


On Tue, 11 Mar 2008, Igor Zinovik wrote:

> I decided to switch from ipf to pf at work.  So i try to explain to
> coadmin why pf is better than ipf.  My main arguments for switching from
> ipf are that pf is still maintained and feature rich.  Main disadvantage
> of ipf is that it is hard to maintain configuration file (since it does
> not support macros we created shell script to obtain macro support).

These arguments are not true.

IPF is maintained. FreeBSD's official handbook says "IPFILTER is actively 
being supported and maintained, with updated versions being released 
regularly." The FAQ was last updated in 07/05/07 (July 2007 I assume). It 
looks the latest release of IP Filter (4.1.28) was released on Oct. 
17, 2007.

IPF is feature rich. Some examples: tuning during run-time; save state 
over reboots; active and testing filter which can be swapped; can generate 
C code for filter rules hard-coded in custom kernel; flush specific TCP 
states (at run-time); flush idle states that are a certain age (at 
run-time); provides tools to generate simple ruleset and testing of 
rulesets without enabling on real firewall (and using various packet input 
formats); able to call kernel functions per a rule; authentication (such 
as password) for rules; lookup tables; packet per second matching; few 
built in proxies; some load balancing; checksum verifications; and more.

IPF does support macros. It has always supported nested variable 
substitution. (Sadly this is not documented.)


  Jeremy C. Reed

p.s. I primarily use PF because of its great documentation -- in fact, I 
published an edited, indexed, cross-referenced, and improved version of 
some PF docs in book format.


More information about the freebsd-pf mailing list