The current state of OpenBSDs packet filter “PF” in FreeBSD

PF is the default firewall / packet filter in the OpenBSD operating system. It is a very powerful, fast and reliable packet filter with a very nice human readable syntax. It is developed for OpenBSD but has made its way into various other *BSD operating systems as well as the (partly) BSD-based Mac OS X.

As the development happens at OpenBSD, other *BSDs are not always up to date with the upstream version of PF. This is also true for FreeBSD.

The current stable PF version number is always equal with the latest OpenBSD release verison number. At the time of writing OpenBSD is at version 5.3 (and so is PF).

Starting with OpenBSD/PF version 4.7 (May 2010) the NAT (and route-to/reply-to) syntax has changed significantly (it’s better – but that is not the problem here).

FreeBSD 9.1 10.0 (stable ATTOW) still uses PF version 4.5 – which uses the old syntax!

This can be confusing, especially because the main documentation resource for PF is the offical PF FAQ at the OpenBSD website – which is always up to date and thus only discusses the new syntax. (Also there are not really much documentation resources on the internet regarding PF, especially when looking for more complicated stuff. The book of PF is a very nice resource but vice versa, if you happen to use OpenBSD >= 4.7 and own the first edition of the book, it’s probably time to get the second edition which includes the updated syntax. ;)

It is not obvious when FreeBSD will update PF to a version supporting the new syntax yet. After a little digging in OpenBSDs FTP-server I found some older versions of the PF FAQ, which apply to FreeBSD users.

Below is a table including the corresponding FreeBSD, OpenBSD/PF versions and the link to the matching PF FAQ (PDF or TXT).

Also it seems that “synproxy state” is broken for IPv6 in FreeBSDs PF verison 4.5 and the versions below, but that’s another story.

Update: FreeBSD 10.0 still uses pf version 4.5 but has seen some performance related improvements and bug fixes.


