diff --git a/conf/type/__pf_ruleset/explorer/cksum b/conf/type/__pf_ruleset/explorer/cksum
new file mode 100755
index 00000000..f8679836
--- /dev/null
+++ b/conf/type/__pf_ruleset/explorer/cksum
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# 2012 Jake Guffey (jake.guffey at eprotex.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+#
+# Get the 256 bit SHA2 checksum of the pf ruleset on the target host.
+#
+
+# Debug
+#exec >&2
+#set -x
+
+# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
+# See if file exists and if so, get checksum
+
+RC="/etc/rc.conf"
+TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
+PFCONF="${TMP:-"/etc/pf.conf"}"
+
+if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum.
+ cksum -o 1 ${PFCONF} | cut -d= -f2 | awk '{print $1}'
+fi
+
+# Debug
+#set +x
+
diff --git a/conf/type/__pf_ruleset/explorer/rcvar b/conf/type/__pf_ruleset/explorer/rcvar
new file mode 100755
index 00000000..20e9dfcc
--- /dev/null
+++ b/conf/type/__pf_ruleset/explorer/rcvar
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# 2012 Jake Guffey (jake.guffey at eprotex.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+#
+# Get the location of the pf ruleset on the target host.
+#
+
+# Debug
+#exec >&2
+#set -x
+
+# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
+
+RC="/etc/rc.conf"
+PFCONF="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
+echo ${PFCONF:-"/etc/pf.conf"}
+
+# Debug
+#set +x
+
diff --git a/conf/type/__pf_ruleset/gencode-local b/conf/type/__pf_ruleset/gencode-local
new file mode 100644
index 00000000..c2495509
--- /dev/null
+++ b/conf/type/__pf_ruleset/gencode-local
@@ -0,0 +1,73 @@
+#!/bin/sh
+#
+# 2012 Jake Guffey (jake.guffey at eprotex.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+#
+# Manage pf(4) on *BSD
+#
+
+# Debug
+#exec >&2
+#set -x
+
+# Send files to $__target_host via $__remote_copy
+
+uname=$(uname) # Need to know what the cdist host is running so we know how to compute the ruleset's checksum
+state=$(cat "$__object/parameter/state")
+
+if [ "$state" = "absent" ]; then # There is nothing more for a *local* script to do
+ exit 0
+fi
+
+if [ -f "$__object/parameter/source" ]; then
+ source=$(cat "$__object/parameter/source")
+fi
+
+rcvar=$(cat "$__object/explorer/rcvar")
+cksum=$(cat "$__object/explorer/cksum")
+
+
+cat <&2
+ exit 1
+ ;;
+esac
+
+if [ -n "${cksum}" ]; then
+ if [ ! "\${currentSum}" = "${cksum}" ]; then
+ $__remote_copy "${source}" "$__target_host:${rcvar}.new"
+ fi
+else # File just doesn't exist yet
+ $__remote_copy "${source}" "$__target_host:${rcvar}.new"
+fi
+EOF
+
+# Debug
+#exec +x
+
diff --git a/conf/type/__pf_ruleset/gencode-remote b/conf/type/__pf_ruleset/gencode-remote
new file mode 100644
index 00000000..6e9030ea
--- /dev/null
+++ b/conf/type/__pf_ruleset/gencode-remote
@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# 2012 Jake Guffey (jake.guffey at eprotex.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+#
+# Manage pf(4) on *BSD
+#
+
+# Debug
+#exec >&2
+#set -x
+
+# Remove ${rcvar} in the case of --state absent
+
+state=$(cat "$__object/parameter/state")
+rcvar=$(cat "$__object/explorer/rcvar")
+
+if [ "$state" = "present" ]; then # There is nothing more for a *remote* script to do
+ exit 0
+elif [ "$state" = "absent" ]; then
+ # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old
+ cat <&2
+ exit 1
+fi
+
diff --git a/conf/type/__pf_ruleset/man.text b/conf/type/__pf_ruleset/man.text
new file mode 100644
index 00000000..68601fad
--- /dev/null
+++ b/conf/type/__pf_ruleset/man.text
@@ -0,0 +1,51 @@
+cdist-type__pf_ruleset(7)
+==================================
+Jake Guffey
+
+
+NAME
+----
+cdist-type__pf_ruleset - Copy a pf(4) ruleset to $__target_host
+
+
+DESCRIPTION
+-----------
+This type is used on *BSD systems to manage the pf firewall's ruleset.
+
+
+REQUIRED PARAMETERS
+-------------------
+state::
+ Either "absent" (no ruleset at all) or "present"
+
+
+OPTIONAL PARAMETERS
+-------------------
+source::
+ If supplied, use to define the ruleset to load onto the $__target_host for pf(4).
+ Note that this type is almost useless without a ruleset defined, but it's technically not
+ needed, e.g. for the case of disabling the firewall temporarily.
+
+EXAMPLES
+--------
+
+--------------------------------------------------------------------------------
+# Remove the current ruleset in place
+__pf_ruleset --state absent
+
+# Enable the firewall with the ruleset defined in $__manifest/files/pf.conf
+__pf_ruleset --state present --source $__manifest/files/pf.conf
+
+--------------------------------------------------------------------------------
+
+
+SEE ALSO
+--------
+- cdist-type(7)
+- pf(4)
+
+
+COPYING
+-------
+Copyright \(C) 2012 Jake Guffey. Free use of this software is
+granted under the terms of the GNU General Public License version 3 (GPLv3).
diff --git a/conf/type/__pf_ruleset/parameter/optional b/conf/type/__pf_ruleset/parameter/optional
new file mode 100644
index 00000000..5a18cd2f
--- /dev/null
+++ b/conf/type/__pf_ruleset/parameter/optional
@@ -0,0 +1 @@
+source
diff --git a/conf/type/__pf_ruleset/parameter/required b/conf/type/__pf_ruleset/parameter/required
new file mode 100644
index 00000000..ff72b5c7
--- /dev/null
+++ b/conf/type/__pf_ruleset/parameter/required
@@ -0,0 +1 @@
+state
diff --git a/conf/type/__pf_ruleset/singleton b/conf/type/__pf_ruleset/singleton
new file mode 100644
index 00000000..e69de29b