Oracle® Solaris 11 Security Guidelines

Exit Print View

Updated: August 2014

Packet Filtering

Packet filtering provides basic protection against network-based attacks. Oracle Solaris includes the IP Filter feature and TCP wrappers.


The IP Filter feature of Oracle Solaris creates a firewall to ward off network-based attacks.

Specifically, IP Filter provides stateful packet filtering capabilities and can filter packets by IP address or network, port, protocol, network interface, and traffic direction. It also includes stateless packet filtering and the capability to create and manage address pools. In addition, IP Filter also has the capability to perform network address translation (NAT) and port address translation (PAT).

TCP Wrappers

TCP wrappers provide access control for internet services. When various internet (inetd) services are enabled, the tcpd daemon checks the address of a host requesting a particular network service against an ACL. Requests are granted or denied accordingly. TCP wrappers also log host requests for network services in syslog, which is a useful monitoring function.

The Secure Shell (ssh)and sendmail features of Oracle Solaris are configured to use TCP wrappers. Network services that have a one-to-one mapping to executable files, such as proftpd and rpcbind, are candidates for TCP wrappers.

TCP wrappers support a rich configuration policy language that enables organizations to specify security policy not only globally but on a per-service basis. Further access to services can be permitted or restricted based upon host name, IPv4 or IPv6 address, netgroup name, network, and even DNS domain.

    For information about TCP wrappers, see the following:

  • How to Use TCP Wrappers

  • For information and examples of the syntax of the access control language for TCP wrappers, see the hosts_access(4) man page.

  • Selected man pages include tcpd(1M) and inetd (1M) .