What I meant was that packets that are part of an existing connection are passed through your iptables rules. When pf passes (or blocks) the beginning of a new connection, it will continue to do the same action upon those packets without passing them through the ruleset.

Thanks for pointing that out.

Additionally, pf has NAT built in.

Also, pf can log to pflog, which is a binary file read with tcpdump. If you want to log in plaintext, you can log to syslog as well. Since it’s built in to pf, it’s faster than loading the ulogd iptables extension.

Is this a fact? I don’t think so.
I built freebsd ipfw based firewalls + linux iptables and there isn’t much difference with the current 4/8/16 core hardwares…

IPF lacks in many features what linux iptables have one of them is layer7 filtering which is great if you build QoS gateways where you want to give more priority for latency sensitive apps and less for file transfer apps.

ULOGd in linux is just very nice too , I’m not sure if this is available in bsd.

NAT is another good compact thing in iptables when you have to run, configure separate natd on bsd.

“pf, you can change tables, variables, lists and anchors on the fly”
After an FW setup properly I hardly ever touch it so this is irrelevant.

Step 1: Download GeoIP data.
Step 2: Regex.
Step 3: pfctl yourself some new tables into memory
Step 4: Cronjob it
Step 5: ???
Step 6: Profit