FreeBSD PF updated to 4.5 for FreeBSD 9

June 29th, 2011 by Chris Buechler

As our commercial side has grown to the point we employ multiple full time people dedicated to working on the project and related customer needs, we’ve also gotten much more involved in upstream development in FreeBSD. Today Bjoern Zeeb committed PF 4.5 into FreeBSD HEAD for the 9 release (which will be the basis of pfSense 2.1), ported by Ermal Luci with help from Bjoern and Max Laier. Much of this work was funded by us, aside from volunteer efforts from Bjoern and Max providing some guidance along the way and Bjoern especially for review and assistance.

4.5 is the last version of PF before the syntax changed in OpenBSD, and the consensus amongst FreeBSD developers was to not break everyone’s ruleset who is running PF in stock FreeBSD just by doing an OS upgrade, hence why 4.5 was the version of choice.

Where does PF in FreeBSD go from here? We’ve had discussions on this topic already amongst several FreeBSD developers, as well as including some of the OpenBSD guys, and have some rough plans in place for the next steps.  More information on that will come later.

Thanks to Ermal, Bjoern and Max for getting this done!

14 Responses to “FreeBSD PF updated to 4.5 for FreeBSD 9”

  1. Quick news: Firewalls, VirtualBSD, pfSense | FreeBSD News Says:

    [...] Bjoern Zeeb committed PF 4.5 into FreeBSD HEAD for the 9 release (which will be the basis of pfSense 2.1), ported by Ermal Luci with help from Bjoern and Max Laier. Much of this work was funded by pfSense / BSDPerimeter, aside from volunteer efforts from Bjoern and Max providing some guidance along the way and Bjoern especially for review and assistance. (full post: FreeBSD PF updated to 4.5 for FreeBSD 9) [...]

  2. Marcello Says:

    Congratulations; your outstanding work embodies what’s best about open source – community projects with a successful commercial side to it.

  3. Seko Says:

    As always, good news!

  4. Bink Says:

    Looking forward to the 4.6 plans! Some really nice changes went into 4.6 and 4.8—so we’d really like to see them come to our favorite firewall appliance (and FreeBSD)…

  5. mhab12 Says:

    As a paying customer it makes me even happier with my decision to support such a great project which contributes well beyond just pfSense. Thanks everyone!

  6. adem darguner Says:

    Hi Everyone,

    When will Pfsense 2.1 version? Pfsense 2.1 version of FreeBSD 9.0 on the run? Is there a roadmap for Pfsense 2.1? Does anyone have information?

    Thank you.

  7. Chris Buechler Says:

    adem: 2.1 roadmap here http://redmine.pfsense.org/projects/pfsense/versions/5

    more info to come. It will be FreeBSD 9.

  8. bob john Says:

    Why wouldn’t you update to the latest version of PF? Dumb.

  9. Chris Buechler Says:

    bob: That’s explained in the post. OpenBSD was fine with breaking everyone’s rulesets just by upgrading your OS. FreeBSD devs weren’t fine doing that.

  10. bob john Says:

    I see, but it is inevitable that people will want to run a newer version of PF.

  11. James Carter Says:

    But as a whole most of us would rather have a working system than a broken system. Many of us use pfsense as an edge device and thus breaking said device would take us down. We also may run our production environments utilizing freebsd services… also potentially affected by the decision. I am happy for the decision. It is nice to know in advance that such changes will be coming and to have time to change rules in various places ahead of time. Thank you Chris, pfsense and freebsd maintainers.

  12. Chris Buechler Says:

    Just to clarify, that reasoning has no consideration at all with pfSense users, because we would automatically generate the ruleset to the appropriate syntax. It’s only for users of stock FreeBSD who have to manually configure pf.conf. When we’re working on upstream code we have to take the needs of the entire FreeBSD community into consideration, and what’s acceptable to the developer community as a whole.

  13. Timothy Says:

    The syntax in PF that is changed is trivial, very trivial. But it opens the gate for more powerful rules. Changing the syntax can be scripted, I have changed over many OpenBSD firewalls and not had problems.

  14. Jean Aumont Says:

    I wish you would have used the latest PF version available (4.9), despite the fact that it would have break some rule set.

    Many performance improvement have been done between 4.5 and 4.9 and we will be missing them in this new release of FreeBSD

    I do not understand/share this decision since eventually I hope the port will go to a revision higher than 4.5 and at that point rule set will need to be review anyway.

    People will be doing the job of porting PF twice, to version 4.5 and eventually to a higher version…. Anyway, tank you a lot for finally porting a newer version of PF to FreeBSD 9

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply