LLMpediaThe first transparent, open encyclopedia generated by LLMs

pf

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: SunRPC Hop 4
Expansion Funnel Raw 72 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted72
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
pf
Namepf
DeveloperOpenBSD project
Initial release2001
Operating systemOpenBSD, NetBSD, FreeBSD, macOS, DragonFly BSD
LicenseISC license, BSD license
WebsiteOpenBSD

pf

pf is a packet filter and stateful firewall originally developed for the OpenBSD operating system. It provides network address translation, traffic normalization, bandwidth shaping, and stateful inspection used in routers, firewalls, and gateways across many organizations such as Netflix, Google, Facebook, Amazon (company), and Cisco Systems. pf evolved from work by developers at the OpenBSD project and has been ported and adapted for use in other systems including FreeBSD, NetBSD, macOS, and DragonFly BSD.

History

Development began within the OpenBSD project as an alternative to existing packet filters used in other systems, motivated by security incidents involving pf predecessors and concerns raised after events like the 2003 worm outbreaks and 2001 Code Red. Early design and implementation were led by contributors from the OpenBSD core team and community developers associated with projects such as OpenSSH and LibreSSL. Over time, features were added in response to operational needs from institutions like University of California, Berkeley research networks, commercial vendors including Juniper Networks and Netgear, and large-scale operators such as Cloudflare and Akamai Technologies. Major milestones included additions for stateful tracking, network address translation support influenced by techniques used in Cisco IOS, and later integration of queueing and shaping inspired by work at IETF meetings and proposals from the PF_RING community.

Design and Features

pf's architecture centers on a ruleset language and a stateful engine implemented in C (programming language). It supports packet normalization, fragment reassembly, and inspection similar in purpose to systems described in RFCs from the Internet Engineering Task Force. The feature set includes network address translation comparable to implementations in Cisco IOS and JunOS, queuing and altitude-based prioritization influenced by BSD classics, and inline state tracking like that found in products from Netfilter vendors. Administrative tools associated with pf, such as the command-line utility and configuration syntax, have been used as references by distributors like pfSense and projects in the Open Source networking ecosystem.

Configuration

Configuration uses a concise ruleset file format edited typically by administrators at institutions like Harvard University, Stanford University, and enterprises such as IBM and Microsoft. Typical elements include tables for lists of addresses influenced by practices from RIPE NCC and ARIN, macros for reusable patterns used in corporate deployments at AT&T and Verizon Communications, and anchors for modularizing rulesets in multi-tenant environments like those run by DigitalOcean and Linode. Tools and GUIs such as those developed by pfSense and various vendor forks provide higher-level management comparable to interfaces from Cisco ASA and Juniper SRX.

Packet Filtering and NAT

pf provides stateful packet filtering with per-connection tracking, enabling policies analogous to those deployed in Checkpoint Software Technologies appliances and Fortinet products. NAT functionality supports source and destination rewriting used in carrier-grade NAT scenarios seen in networks managed by Comcast and T-Mobile US. Security features include normalization against evasion techniques discussed in Microsoft Security Response Center advisories and mitigation patterns similar to recommendations from the SANS Institute. Integration with intrusion detection systems from projects like Snort and Suricata is common in enterprise stacks operated by teams at Wikimedia Foundation and NASA.

Performance and Benchmarks

Performance characteristics have been measured and reported by research groups at institutions such as Massachusetts Institute of Technology, ETH Zurich, and commercial labs within Intel Corporation and AMD. Benchmarks compare throughput and latency against alternatives including Netfilter on Linux, proprietary systems from Cisco Systems, and open-source platforms like Open vSwitch. Optimization strategies include table-based lookups inspired by radix tree implementations used in FreeBSD kernel networking, and zero-copy techniques referenced in studies from Stanford University and Carnegie Mellon University.

Adoption and Use Cases

pf is widely used by academic networks, Internet service providers, cloud providers, and embedded appliance vendors. Deployments range from campus edge routers at University of Cambridge and University of Oxford to service provider edge devices operated by Verizon Business and Orange S.A.. Commercial distributions and appliances such as those from Netgate (pfSense), industrial gateways from Advantech, and integrated systems in Apple products leverage pf ports and derivatives. It is also employed in secure enclaves and research testbeds at organizations like DARPA and NSF-funded projects.

Category:Software