What's everyone's experience with modern PF in production? Also, not to start a holy war, ...

iyn • today at 10:49 AM • 2 replies • view on HN

What's everyone's experience with modern PF in production? Also, not to start a holy war, but what people think about modern PF vs nftables? I've only ever used nftables (and only in fairly simple scenarios) but I've always been curious about the PF side of the world.

Replies

accrual • today at 2:17 PM

I manage a pf.conf with about 400 rules across a dozen VLANs, I find it intuitive and even enjoyable to work on. It feels kinda like editing source code - there are some host, network, and port declarations at the top, a section for NAT and egress, then a section for each VLAN that contains the pass in/pass out rules.

I tail the pflog0 interface in a tmux session so I can keep an eye on pass/block, and also keep a handy function in my .profile to make it easy to edit the ruleset and reload:

    function pfedit {
            vi /etc/pf.conf && \
            pfctl -f /etc/pf.conf && \
            { c=`pfctl -s rules | wc -l | tr -d ' '`; printf 'loaded %s rules\n' "$c"; }
    }

This opens the file for editing, reloads the ruleset (which also validates it), then returns the rule count if successful.

mono442 • today at 11:31 AM

It's slower than nftables.

➕ show 2 replies

alt Hacker News

Replies