Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: DRAFT

Comparing PF in Oracle Solaris to IP Filter and to OpenBSD Packet Filter

The earlier releases of Oracle Solaris used IP Filter as the firewall. In this release, PF is the only supported firewall.

Comparing IP Filter and Oracle Solaris Packet Filter

If you plan to transfer IP Filter rules to Packet Filter (PF) rules, note that the features of IP Filter and PF do not match exactly. Therefore, no reliable conversion tool to map IP Filter configurations to PF configurations is possible. The best strategy when converting network policies, including firewall policies, from one product to another is to review the requirements and specifications and then implement policies using the new tool.

The following table compares the Oracle Solaris implementation of PF with IP Filter. Figure 4, Table 4, Differences Between OpenBSD PF and Oracle Solaris PF compares the Oracle Solaris implementation of PF with OpenBSD PF.

Table 3  Comparison of IP Filter and Packet Filter on Oracle Solaris
Firewall Feature
IP Filter
Oracle Solaris PF Implementation
Configuration files
Several, such as ippool.conf, ipnat.conf, and ipv6.conf
One pf.conf file
Ease of understanding the rules
Complex syntax
Shortcuts such as macros and tables aid readability
IPv4 and IPv6 packet fragments
Administrator must explicitly turn on reassembly
IP reassembly is on by default
Loopback interface protection
Must be enabled by set intercept_loopback true;
Firewall always intercepts packets on loopback interface
Package name
OS signature file
pass rules
Stateless by default
Stateful by default
Rights profile
IP Filter Management
Network Firewall Management
SMF service name
firewall, which is put in the degraded state when enabled with the default configuration that Oracle Solaris ships.
FTP packet filtering over NAT
Handled in the kernel
Handled by an ftp-proxy daemon
Packet logging
Uses /dev/ipl character device to pass logged packets to ipmon service.
Uses capture links (pseudo links) to pass packets from kernel to userland. Packets are then read by pflog service or can be read by tcpdump and Wireshark.

Comparing Oracle Solaris Packet Filter and OpenBSD Packet Filter

The following table describes the differences between the OpenBSD implementation of PF and the Oracle Solaris version. For OpenBSD features that Oracle Solaris does not include, see Introduction to Packet Filter.

Table 4  Differences Between OpenBSD PF and Oracle Solaris PF
OpenBSD PF Behavior
Oracle Solaris PF Behavior
Difference in Oracle Solaris PF
OpenBSD provides PF as part of a base system.
PF is installed as an IPS package.
IPS repositories provide security for data at rest and data in transit.
pfctl command manages the firewall.
svc* commands manage the firewall, which is an SMF service.
SMF commands supplement pfctl functionality.
NAT works over IPv4 and IPv6 networks.
OpenBSD supports NAT-64 as described by RFC 6146, while Oracle Solaris supports traditional NAT only, as described by RFC 2663.
PF supports NAT on IPv4 networks only.
Firewall interface groups are managed by ifconfig.
Firewall interface groups are managed by ipadm.
No differences except the command to use.
No provision for zones.
PF works in and between Oracle Solaris Zones.
Non-global zones can use PF.
Filtering between zones is supported in zones that function as virtual routers for the other zones on the system.

For additional information, see Guidelines for Using Packet Filter in Oracle Solaris and Configuring the Firewall in Oracle Solaris.

Guidelines for Using Packet Filter in Oracle Solaris