Future of pf in FreeBSD ? - does it have one ?

Kristian K. Nielsen freebsd at com.jkkn.dk
Tue Jul 8 22:32:39 UTC 2014

Hi all,

I am a happy user of the pf-firewall module and have been for years and 
think it is really great but lately its getting a bit dusty.

The last few years, however, it seem that pf in FreeBSD got a long way 
away from pf in OpenBSD where it originated and I am also continually 
watching where FreeBSD goes with ipfilter (ipf) and ipfw (dead?).

So I am curious if any on the mailing could elaborate about what the 
future of pf in FreeBSD is.

a) First of all - are any actively developing pf in FreeBSD?

b) We are a major release away from OpenBSD (5.6 coming soon) - is 
following OpenBSD's pf the past?

c) We never got the new syntax from OpenBSD 4.7's pf - is that still 
blocking us?

d) Anyone working on bringing FreeBSD up to 5.6?

e) OpenBSD is retiring ALTQ entirely - any thoughts on that?

f) IPv6 support?- it seem to be more and more challenged in the current 
version of pf in FreeBSD and I am (as well as others) introducing more 
and more IPv6 in networks.
E.x. Bugs #179392, #172648, #130381, #127920 and more seriously #124933, 
which is the bug on not handling IPv6 fragments which have been open 
since 2008 and where the workaround is necessity to leave an open hole 
in your firewall ruleset to allow all fragments. Occoring to comment in 
the bug, this have been long gone in OpenBSD.

Hope to heard from you all,

Best regards,

Kristian Kræmmer Nielsen,
Odense, Denmark

More information about the freebsd-pf mailing list