The earlier releases of Oracle Solaris used IP Filter as the firewall. In this release, PF is the only supported firewall.
If you plan to transfer IP Filter rules to Packet Filter (PF) rules, note that the features of IP Filter and PF do not match exactly. Therefore, no reliable conversion tool to map IP Filter configurations to PF configurations is possible. The best strategy when converting network policies, including firewall policies, from one product to another is to review the requirements and specifications and then implement policies using the new tool.
The following table compares the Oracle Solaris implementation of PF with IP Filter. Table 4, Differences Between OpenBSD PF and Oracle Solaris PF compares the Oracle Solaris implementation of PF with OpenBSD PF.
|
The following table describes the differences between the OpenBSD implementation of PF and the Oracle Solaris version. For OpenBSD features that Oracle Solaris does not include, see Introduction to Packet Filter.
|
For additional information, see Guidelines for Using Packet Filter in Oracle Solaris and Configuring the Firewall in Oracle Solaris.
When using PF, note the following guidelines:
To enable and use the PF firewall, see How to Configure the Firewall on Oracle Solaris.
PF is installed but disabled. The solaris-small-server, solaris-large-server, and solaris-desktop group packages install the PF firewall by default.
Use SMF commands, such as svcadm enable firewall, to manage PF. For when to use the pfctl command, see Using PF Features to Administer the Firewall.
For an overview of SMF, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.4. For SMF procedures, see Chapter 3, Administering Services in Managing System Services in Oracle Solaris 11.4.
To administer PF, become an administrator who is assigned the Network Firewall Management rights profile. The root role includes this profile.
Best practice is to assign the Network Firewall Management rights profile to a user or to a role that you create. To create the role and assign the role to a user, see Creating a Role in Securing Users and Processes in Oracle Solaris 11.4.
To edit the pf.conf configuration file, use the pfedit command. After editing, use the pfctl -nf command to verify the syntax and refresh the firewall service.
Use macros, tables, and firewall interface groups to simplify rules and enhance performance. For more information, see Packet Filter Macros, Tables, and Interface Groups.
Use firewall interface groups in PF to specify the same firewall policy on multiple hosts that handle similar traffic on interfaces with different names. The group names are used in policy rules. Without the group names, these same rules could not apply to multiple hosts when the interface names differ.
For more information, see Packet Filter Macros, Tables, and Interface Groups. For tasks, see How to Use Groups to Simplify Firewall Policy in a Network and Example 11, PF Configuration File Using Firewall Interface Groups.