PF was written by Daniel Hartmeier. It appeared in OpenBSD 3.0, which was released on 1 December 2001.
PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree on 30 May 2001 due to OpenBSD developers' concerns with its license.
The filtering syntax is similar to IPFilter, with some modifications to make it clearer. Network Address Translation (NAT) and Quality of Service (QoS) have been integrated into PF, QoS by importing the ALTQ queuing software and linking it with PF's configuration. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF.
PF's logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called pflog, which is the only way to lift data from kernel-level mode for user-level programs. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in a modified tcpdump/pcap binary format using the pflogd daemon.
Apart from its home platform OpenBSD, PF is also installed by default in FreeBSD starting with version 5.3, in NetBSD from version 3.0, and appeared in DragonFly BSD from version 1.2. Core force, a firewalling and security product for Microsoft Windows, is derived from PF. PF is also included in Mac OS X Lion (OS X 10.7), released in July 2011 and Mountain Lion (OS X 10.8).
## Macros# The internal interface (connected to the local network).int_if="xl0"## Options# Set the default policy to return RSTs or ICMPs for blocked traffic.set block-policy return
# Ignore the loopback interface entirely.setskipon lo0
## Translation rules# NAT traffic on the interface in the default egress interface group (to# which the interface out of which the default route goes is assigned) from the# local network.
match outon egress from $int_if:network to any nat-to (egress)## Filtering rules# Default deny rule, with all blocked packets logged.block log all
# Pass all traffic to and from the local network, using quick so that later# rules are not evaluated if a packet matches this. Some rulesets would restrict# local traffic much further.passquickon$int_if all
# Permit all traffic going out, keep state so that replies are automatically passed;# many rulesets would have many rules here, restricting traffic in and out on the# external (egress) interface. (keep state is not needed in the newest version of pf)passoutkeepstate