(no title)

I manage a pf.conf with about 400 rules across a dozen VLANs, I find it intuitive and even enjoyable to work on. It feels kinda like editing source code - there are some host, network, and port declarations at the top, a section for NAT and egress, then a section for each VLAN that contains the pass in/pass out rules.

I tail the pflog0 interface in a tmux session so I can keep an eye on pass/block, and also keep a handy function in my .profile to make it easy to edit the ruleset and reload:

    function pfedit {
            vi /etc/pf.conf && \
            pfctl -f /etc/pf.conf && \
            { c=`pfctl -s rules | wc -l | tr -d ' '`; printf 'loaded %s rules\n' "$c"; }
    }

This opens the file for editing, reloads the ruleset (which also validates it), then returns the rule count if successful.

In my experience, PF operates a LOT more like commercial firewalls in how you think about filtering and NAT.

In Linux, even with nftables you still have the concepts of "chains" which goes all the way back to the ipchains days. IME this isn't a particularly helpful way of viewing things. With PF you can simply make your policy decisions on in or out and on which interface(s). Also I'm not sure I ever saw a useful application of why you'd apply a policy on the pre/post-routing chains that wasn't achievable elsewhere in PF and in a simpler way.

Also I've never been a fan of having a command that just inserted or deleted a policy instead of working from a configuration file. (nft "config" files are really just scripts that run the command successively.) I get why some folks would want that (it probably makes programmatic work a lot easier) but for me it was never a benefit.

Anyhow it's been a long time since I've had to do this kind of thing so maybe I'm out of touch on the details. Happy to hear about how I'm wrong lol.

I haven't used Linux as a gateway in years, so I can only compare pf to iptables. The two biggest differences are the way the rules are applied and the logging.

pf rules work a little backwards compared to iptables. A packet traverses the entire ruleset and the last rule to match wins. You can short-circuit this with a "quick" directive. It takes a bit of getting used to coming from iptables.

The logging on pf doesn't integrate with syslog automatically like iptables does. You're expected to set up a logging system for your particular use case. There are several ways to do it, and for production you'd be doing it regardless, but for honelab setups it's an extra thing you need to worry about.

I prefer pf, but I don't recommend it to people new to firewalls.

It's fine if all you need is a packet filter, but in 2026 I question that many production use cases can get away with just packet filter.

As a host firewall, it's obviously fine, I assume your question is about using pf as a network firewall. Given the threat landscape, you usually want threat protection. At the very least that means close-to-real-time updates from reputation lists. You can script that with pf, but it's not fun. Really, you want protocol dissection and - quite possibly - the ability to decrypt on the box and do payload analysis. Just doing packet filtering doesn't buy you all that much anymore these days, and anything production that requires compliance or that you genuinely care about should be behind what you might also call IPS or layer 7 firewall capabilities.

pf doesn't do any of that. You don't have to use Palo Alto or Cisco for this, either.

If all you need is packet filtering, it's a good option, though.

I'm just glad we don't have to deal with iptables anymore. That said, due to iptables -A crap being embedded in countless tutorials and LLM FFN-head weights, we'll end up needing to keep it fresh in mind for decades to come.

It's slower than nftables.

Their BDFL thinks BC breaks are great “we’ll be in a better place” I remember him saying, and has blessed breaking pf multiple times by changing the rule syntax, whereas prior versions of this book are suddenly obsolete along with countless tutorials, forum posts, etc.

This is one thing M$ gets right, in business environments you don’t do that. I wouldn’t use pf for anything outside a home lab.