The earlier releases of Oracle Solaris used IP Filter as the firewall. In this release, PF is the only supported firewall.
If you plan to transfer IP Filter rules to Packet Filter (PF) rules, note that the features of IP Filter and PF do not match exactly. Therefore, no reliable conversion tool to map IP Filter configurations to PF configurations is possible. The best strategy when converting network policies, including firewall policies, from one product to another is to review the requirements and specifications and then implement policies using the new tool.
The following table compares the Oracle Solaris implementation of PF with IP Filter. Figure 4, Table 4, Differences Between OpenBSD PF and Oracle Solaris PF compares the Oracle Solaris implementation of PF with OpenBSD PF.
The following table describes the differences between the OpenBSD implementation of PF and the Oracle Solaris version. For OpenBSD features that Oracle Solaris does not include, see Introduction to Packet Filter.
For additional information, see Guidelines for Using Packet Filter in Oracle Solaris and Configuring the Firewall in Oracle Solaris.
When using PF, note the following guidelines:
To enable and use the PF firewall, see How to Configure the PF Firewall on Oracle Solaris.
PF is installed but disabled. The solaris-small-server, solaris-large-server, and solaris-desktop group packages install the PF firewall by default.
Use SMF commands, such as svcadm enable firewall, to manage PF. For when to use the pfctl command, see Strategies for Converting IPF Rules to PF Rules.
For an overview of SMF, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.4. For SMF procedures, see Chapter 3, Administering Services in Managing System Services in Oracle Solaris 11.4.
To administer PF, become an administrator who is assigned the Network Firewall Management rights profile. The root role includes this profile.
Best practice is to assign the Network Firewall Management rights profile to a user or to a role that you create. To create the role and assign the role to a user, see Creating a Role in Securing Users and Processes in Oracle Solaris 11.4.
To edit the pf.conf PF configuration file, use the pfedit, then verify the syntax and refresh the firewall service.
Use macros, tables, and firewall interface groups to simplify rule syntax and enhance performance. For more information, see Packet Filter Macros, Tables, and Interface Groups.
Use the Oracle Solaris _auto anchor to handle SMF services that supply their own rules, such as ftp-proxy and OpenStack. An anchor in PF handles rule sets that are attached dynamically to the main rule set.
For information about anchors, see http://www.openbsd.org/faq/pf/anchors.html. For information about Oracle Solaris's extension of the anchor format, see Oracle Solaris _auto Anchor in PF and Oracle Solaris _static Anchor in PF.
Install the firewall-ftp-proxy package. The ftp-proxy service assists PF in filtering FTP packets that originate behind an IPv4 NAT interface. For more information, see Using the ftp-proxy Service and How to Make FTP Transfers Pass Through PF Doing NAT on Oracle Solaris.
Use firewall interface groups in PF to specify the same firewall policy on multiple hosts that handle similar traffic on interfaces with different names. The group names are used in policy rules. These same rules without the group names could not apply to multiple hosts when the interface names differ.
For more information, see Packet Filter Macros, Tables, and Interface Groups. For tasks, see How to Use Groups to Simplify Firewall Policy in a Network and Example 8, PF Configuration File Using Firewall Interface Groups.