Future of pf / firewall in FreeBSD ? - does it have one ?

Kristian K. Nielsen freebsd at com.jkkn.dk
Wed Jul 16 23:15:21 UTC 2014

Hi all,

I have been encouraged by people on the pf-mailinglist to move this 
discussion to the current mailinglist since this may be an area in the 
OS where FreeBSD need to focus on next.

First of all I am a happy user of the pf-firewall module and have been 
for years and think it is really great - the trouble is that lately 
(since 2008) its getting a bit dusty.

The last few years it seem that pf in FreeBSD got a long way away from 
pf in OpenBSD where it originated
- also looking at the ipfilter (ipf) and ipfw - they both to me do not 
seem to be as complete as pf.

So I am curious if any on the mailing could elaborate about what the
future of pf in FreeBSD is or should be.

a) First of all - are any actively developing pf in FreeBSD?

b) We are a major release away from OpenBSD (5.6 coming soon) - is
following OpenBSD's pf the past? - should it be?

c) We never got the new syntax from OpenBSD 4.7's pf - at the time a 
long discussion on the pf-mailing list flamed the new syntax saying it 
would cause FreeBSD administrators too much headache. Today on the list 
it seems everyone wants it - so would we rather stay on a dead branch 
than keep up with the main stream?

d) Anyone working on bringing FreeBSD up to pf 5.6? - seem dead on the 

e) OpenBSD is retiring ALTQ entirely - any thoughts on that?

f) IPv6 support?- it seem to be more and more challenged in the current 
version of pf in FreeBSD and I am (as well as others) introducing more 
and more IPv6 in networks.
E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, 
which is the bug on not handling IPv6 fragments which have been open 
since 2008 and where the workaround is necessity to leave an completely 
open hole in your firewall ruleset to allow all fragments. According to 
comment in the bug, this have been long gone in OpenBSD.

g) Performance, can we live with pf-performance that compared to OpenBSD 
is slower by a factor of 3 or 4, even after the multi-core support in 
FreeBSD 10?
(Henning Brauer noted that in this talk at 
http://tech.yandex.ru/events/yagosti/ruBSD/talks/1488/ (at 33:18 and 
36:53)) - credit/Jim Thompson

h) Bringing back patches from pfSense?

And my most important question:

* Should this or could this be a project for the foundation to either do 
a summer project or funded project to bring this part of the OS up to date?

Hope to hear from you all,

Best regards,

Kristian Kræmmer Nielsen,
Odense, Denmark

More information about the freebsd-current mailing list