So Teemu has been nagging me for some time. And Darren seems to have no time to fix ipfilter.
So today i migrated to pf. It was quite straight forward, although not as easy as the ipfw -> ipfilter Migration a few years ago, which worked surprisingly on my first try.
This time i needed three tries, first i added the wrong pass rules for the redirect rules (In ipfilter the nat is done after filtering, in PF before the filtering), than i confused $int_if:network with $internal_net (no they are not identical in my case), and the last error was, i was blocking RFC1918 nets although i was using one 🙂 (the cause of this error is similar to the first error).
I still don’t quite understand my ruleset (especially, why outgoing ntp packets get blocked although i have allowed all tcp udp outgoing).
But the essential parts seem to work, I can IRC and i can receive emails and you can read my blog.
I will try to fix the cornercases over the next week and try to look at the more sophisticated rules, like spamd, altq, carp, etc.
What i really like about PF is the pflog0 device, it makes it really easy to analyze errors in the ruleset.