top | item 46845629

(no title)

For me, the decisive factor is readability as a safety mmechanism. When you are debugging a network outage at 3 AM, PF's syntax (pass in on $ext_if...) reads almost like English sentences.

nftables is technically powerful and faster than legacy iptables, but the cognitive load required to parse a complex ruleset is still higher than PF. In an operational context, clarity prevents outages. That alone makes PF the superior choice for edge firewalls where human auditability is critical.

discuss

No comments yet.