The OPENBSD pf firewall
OpenBSD is not the only OS to have the pf firewall. Though originally designed and written for that OS, today we find pf in FreeBSD and NetBSD too. In fact, the popular pfSense ISO is based on OpenBSD pf but it runs FreeBSD.
FreeBSD pf is not the real thing. OpenBSD is where pf is natively developed and maintained; FreeBSD ports it later, so you are better off running it natively. Besides, pf, being firewall software, uses kernel networking code extensively. OpenBSD pf is also tightly integrated with its own kernel networking sub-system. Consequently, pf works best on OpenBSD.
Now, like Linux iptables, the pf firewall can do a lot of cool stuff like port forwarding. However, iptables is very complex, and does too many things. Writing to payload data in protocols like FTm, SIm, oTm, etc, is something that user-land proxy applications do. That is not the job of a kernel firewall. Also, content inspection is not its job. A kernel firewall like pf limits itself only to packet headers at TCm or Layer Is. Beyond that, user-land applications have to handle the data. However, pf is very powerful, since it can do things like direct server return, and divert-tosockets, which can be used for very advanced packet forwarding, routing, and so on.
All pf rules are normally written in / etc/ pf. conf, but can be added from the command line or included from other files as well. However, in general, keeping all firewall rules simple, short and sweet is the preferred convention. In OpenBSD, everything is kept very simple; that is why it is so secure. And pf rules read