PF today

At this point, we have covered a bit of background. Some years have passed since 2001, and PF in its present OpenBSD 6.1 form is a packet filter which is capable of doing quite a few things, if you want it to.

For one thing, PF classifies packets based on protocol, port, packet type, source or destination address. With a reasonable degree of certainty it is also able to classify packets based on source operating system.

And even if NAT is not a necessary part of a packet filter, for practical reasons it's nice that the address rewriting logic is handled somewhere nearby. Consequently, PF contains NAT logic as well.

PF is able - based on various combinations of protocol, port and other data - to direct traffic to other destinations than those designated by the sender, for example to a different machine or for further processing by a program such as a daemon listening at a port, locally or on a different machine.

Before PF was written, OpenBSD already contained the ALTQ code to handle load balancing and traffic shaping. After a while, altq was integrated with PF. Mainly for practical reasons.[1]

As a result of this, all those features are available to you via one single, essentially human readable configuration file, which is usually called pf.conf, stored in the /etc/ directory.

This is now available as a part of the base system on OpenBSD, on FreeBSD where PF from version 5.4 is one of three firewalling systems to be loaded at will, and in NetBSD and DragonFlyBSD. The last two operating systems I have not had the resources to play much with myself. Something about having both hardware and time available at the same time. Anyway all indications are that only very minor details vary between these systems as far as PF is involved, except that the PF versions in the other systems tend to trail the OpenBSD PF versions by a few revisions, mostly due to variations in developent and release cycles. With a flag day release like OpenBSD 4.7, the differences between operating systems can be rather significant until all systems have caught up.



It should also be noted that ALTQ was superseded in OpenBSD 5.5 by a newer, all-HFSC queueing engine, see the relevant parts of The Book of PF (3rd edition) or the slides matching my latest tutorial session for details.