Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: DRAFT
 
 

Comparing PF in Oracle Solaris to IP Filter and to OpenBSD Packet Filter

The earlier releases of Oracle Solaris used IP Filter as the firewall. In this release, PF is the only supported firewall.

Comparing IP Filter and Oracle Solaris Packet Filter

If you plan to transfer IP Filter rules to Packet Filter (PF) rules, note that the features of IP Filter and PF do not match exactly. Therefore, no reliable conversion tool to map IP Filter configurations to PF configurations is possible. The best strategy when converting network policies, including firewall policies, from one product to another is to review the requirements and specifications and then implement policies using the new tool.

The following table compares the Oracle Solaris implementation of PF with IP Filter. Figure 4, Table 4, Differences Between OpenBSD PF and Oracle Solaris PF compares the Oracle Solaris implementation of PF with OpenBSD PF.

Table 3  Comparison of IP Filter and Packet Filter on Oracle Solaris
Firewall Feature
IP Filter
Oracle Solaris PF Implementation
Configuration files
Several, such as ippool.conf, ipnat.conf, and ipv6.conf
One pf.conf file
Ease of understanding the rules
Complex syntax
Shortcuts such as macros and tables aid readability
IPv4 and IPv6 packet fragments
Administrator must explicitly turn on reassembly
IP reassembly is on by default
Loopback interface protection
Must be enabled by set intercept_loopback true;
Firewall always intercepts packets on loopback interface
Package name
ipfilter
firewall
OS signature file
None
pf.os
pass rules
Stateless by default
Stateful by default
Rights profile
IP Filter Management
Network Firewall Management
SMF service name
ipfilter
firewall, which requires PF configuration before enabling the service, plus the pflog and ftp-proxy services
FTP packet filtering over NAT
Handled in the kernel
Handled by an ftp-proxy daemon
Packet logging
Administrator uses syslog or creates separate log file
Log file location is a pflog service property and the logs are in libpcap format

Comparing Oracle Solaris Packet Filter and OpenBSD Packet Filter

The following table describes the differences between the OpenBSD implementation of PF and the Oracle Solaris version. For OpenBSD features that Oracle Solaris does not include, see Introduction to Packet Filter.

Table 4  Differences Between OpenBSD PF and Oracle Solaris PF
OpenBSD PF Behavior
Oracle Solaris PF Behavior
Difference in Oracle Solaris PF
Users download PF from the web.
Administrators install PF as an IPS package.
IPS repositories provide security for data at rest and data in transit.
pf* commands run the firewall.
svc* commands run the firewall, which is an SMF service.
Some PF command usage is replaced by SMF commands.
PF on a NAT works over IPv4 and IPv6 networks.
OpenBSD supports NAT-64 as described by RFC 6146, while Oracle Solaris supports traditional NAT only, as described by RFC 2663.
PF on a NAT works on IPv4 networks only.
ftp-proxy enables PF to filter FTP packets over a NAT on IPv4 networks only.
Anchor names cannot begin with an underscore.
Oracle Solaris defines the _auto and _static anchors.
Oracle Solaris reserves the _auto and _static anchor subtrees for services that provide their own firewall rules and packages that deliver rule set fragments.
Firewall interface groups are defined in a rule only.
Groups require rule mention plus an ipadm command to add interfaces to the group.
Configuring firewall interface groups in Oracle Solaris is a two-step process.
No provision for zones.
PF works in and between Oracle Solaris Zones.
Non-global zones can use PF.
Filtering between zones is supported in zones that function as virtual routers for the other zones on the system.

For additional information, see Guidelines for Using Packet Filter in Oracle Solaris and Configuring the Firewall in Oracle Solaris.

Guidelines for Using Packet Filter in Oracle Solaris