Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

Introduction to Packet Filter

The OpenBSD Packet Filter (PF) feature of Oracle Solaris is a network firewall that captures incoming packets and evaluates them for entry to and exit from the system. PF provides stateful packet inspection. It can match packets by IP address and port number as well as by the receiving network interface.

Oracle Solaris PF is based on OpenBSD Packet Filter (PF) version 5.5, which is enhanced to work with Oracle Solaris components, such as zones with exclusive IP instances.

    At installation, Oracle Solaris PF behaves differently from OpenBSD PF at installation.

  • In Oracle Solaris, the svc:/network/firewall service is installed but disabled by default.

  • If you enable the service with the default configuration that Oracle Solaris ships, then the firewall service is put in the degraded state, as described in Packet Filter Configuration File and the firewall Service.

    If you are transferring IP Filter firewall rules to PF firewall rules, you must ensure that the PF rules enforce the same policy. Identical rules in IP Filter and PF can enforce different policy.

    The following OpenBSD PF features are not included in the Oracle Solaris version:

  • Network address translation (NAT-64) between IPv6 and IPv4 as described by RFC 6146

  • PFSYNC, which allows PF firewalls to be deployed as a cluster

  • QOS (packet queuing)

  • Netflow statistics