Netgate sponsors the modernisation of the FreeBSD variant of pf(4)

Contents

Netgate, together with InnoGames, wants to bring the outdated FreeBSD version of pf(4) up to the current OpenBSD standard. This should make the core functionality of pfSense significantly more modern and secure. Jim Thompson, CTO (Chief Technology Officer) at Netgate, announced this in a blog post. Netgate became a commercial sponsor in 2008 and the official owner of the FreeBSD-based firewall distribution pfSense in 2008.

Netgate and InnoGames finance porting of current OpenBSD code

Specifically, Netgate is supporting freelance developer Kristof Provost, who has been delivering FreeBSD commits in the area of network and video applications for over 13 years. InnoGames GmbH, based in Hamburg, develops free-to-play online games for browsers and mobile platforms and supports network engineer Kajetan Staszkiewicz. He introduced the OpenBSD syntax for scrub operations in match and pass rules and is actively working on the pf(4) code.

The support from the two companies coincides with the Sovereign Tech Fund (STF)'s huge commitment, by FreeBSD standards, to support the FreeBSD Foundation with €686,400. The Sovereign Tech Fund (STF) is an NGO initiated by the German federal government and launched in 2022 by the Federal Ministry for Economic Affairs and Climate Protection (BMWK). The support was pledged to improve infrastructure, security, regulatory compliance, and the developer experience at FreeBSD.

OpenBSD's packet filter pf(4)

The open source operating system, which is consistently focused on security and correct code, uses the pf(4) packet filter for all important firewall tasks such as filtering TCP/IP traffic, NAT (Network Address Translation), normalizing and conditioning TCP/IP packets. Or for bandwidth control and packet prioritization. The packet filter has been part of the GENERIC kernel since OpenBSD 3.0 (December 2001).

Previously, OpenBSD used Darren Reed's IPFilter (IPF), but its licence only allowed him to make changes to the source code. For this reason, Swiss programmer Daniel Hartmeier wrote a completely new packet filter called pf(4), which is now maintained, audited, and further developed by the entire OpenBSD team with support from industry. The security and reliability of pf(4) convinced German company Genua GmbH, which develops high-security solutions, and switched its High Resistance Firewall genugate to OpenBSD in 2004.

OpenBSD pf(4) vs FreeBSD pf(4)

In 2004, OpenBSD's pf(4) was ported to FreeBSD 5.3, providing an alternative to IPFW, which was introduced in 1995. To get an overview of the function, setup, and syntax of the three packet filters, it is worth having a look at the FreeBSD Handbook, Chapter 33: Firewalls. Side note: The new pf(4) in FreeBSD was a major reason for the development of pfSense as an alternative to Manuel Kasper's lightweight m0n0wall.

Both distributions have different design goals and priorities: FreeBSD is a server system optimized for network performance, while OpenBSD serves as a basis for developers and appliances. This created an inevitable dilemma: OpenBSD experiments with new functions and security features, while FreeBSD was primarily interested in data throughput and scalability. The source code of pf(4) was initially identical, and the FreeBSD team adopted most of the changes from OpenBSD. Over time, however, the two pf(4) variants continued to diverge, with FreeBSD completely ignoring the completely new syntax for pf(4) in OpenBSD 4.7.

Since around 2013, the two projects are still similar, but no longer compatible with each other. For example, OpenBSD's pf(4) reserves memory using pool_get(), while FreeBSD's uses uma_zalloc(). If a rule contains only 10 as the value for an IP address, OpenBSD spits out an error message, while FreeBSD accepts the value and interprets it as 0.0.0.10. Both camps have recognised that this situation is ineffective – close cooperation could offer greater security and functionality for FreeBSD and improved performance for OpenBSD.

OPNsense: slightly more modern than the original

Since open source projects such as pfSense do not become fundamentally better through strict commercialization, OPNsense split off from pfSense in 2015 as a fork under the company Deciso B.V. from the Netherlands. OPNsense has already ported some more modern functions from OpenBSD, which makes Netgate's pfSense look worse in comparison.

So it's no wonder that Netgate began some time ago to push ahead with the modernization of pf(4) in FreeBSD and thus pfSense. If everything goes according to plan, noticeable improvements to pf(4) should come with FreeBSD 15.0, which has been announced for December 2025. After that, pfSense and OPNsense should in turn benefit from this. As code is also flowing towards OpenBSD, this should be a win-win situation for both BSD projects. However, there are no specific references to these changes in the preliminary FreeBSD 15.0 release notes as yet – but there is still some time before the official release on 2 December.

The blog post by CTO Jim Thompson can be found here.

(vbr)