Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018

Comparing PF in Oracle Solaris to IP Filter and to OpenBSD Packet Filter

The features of IP Filter and Packet Filter (PF) do not match exactly. Therefore, no conversion tool to map IP Filter configurations to Packet Filter configurations is possible. The best strategy when converting network policies, including firewall policies, from one product to another is to review the requirements and specifications and then implement policies using the new tool. For an example of a PF configuration file that implements the network policy of an IP Filter configuration file, see Example 8, PF Configuration File Based on an IP Filter Configuration File.

Comparing IP Filter and Oracle Solaris Packet Filter

The following table compares the Oracle Solaris implementation of PF with IP Filter. Figure 4, Table 4, Differences Between OpenBSD PF and Oracle Solaris PF compares the Oracle Solaris implementation of PF with OpenBSD PF.

Table 3  Comparison of IP Filter and Packet Filter on Oracle Solaris
Firewall Feature
IP Filter
Oracle Solaris PF Implementation
Configuration files
Several, such as ippool.conf, ipnat.conf, and ipv6.conf
One pf.conf file
Ease of understanding the rules
Complex syntax
Shortcuts such as macros and tables aid readability
IPv4 and IPv6 packet fragments
Administrator must explicitly turn on reassembly
IP reassembly is on by default
Loopback interface protection
Must be enabled by set intercept_loopback true;
Firewall always intercepts packets on loopback interface
Package name
OS signature file
pass rules
Stateless by default
Stateful by default
Rights profile
IP Filter Management
Network Firewall Management
SMF service name
firewall, which requires PF configuration before enabling the service, plus the pflog service
Packet logging
Administrator uses syslog or creates separate log file
Log file location is a pflog service property and the logs are in libpcap format

Comparing Oracle Solaris Packet Filter and OpenBSD Packet Filter

The following table describes the differences between the OpenBSD implementation of PF and the Oracle Solaris version. For OpenBSD features that Oracle Solaris does not include, see Introduction to Packet Filter.

Table 4  Differences Between OpenBSD PF and Oracle Solaris PF
OpenBSD PF Behavior
Oracle Solaris PF Behavior
Difference in Oracle Solaris PF
Users download PF from the web.
Administrators install PF as an IPS package.
IPS repositories provide security for data at rest and data in transit.
pf* commands run the firewall.
svc* commands run the firewall, which is an SMF service.
Some PF command usage is replaced by SMF commands.
PF on a NAT works over IPv4 and IPv6 networks.
OpenBSD supports NAT-64 as described by RFC 6146, while Oracle Solaris supports traditional NAT only, as described by RFC 2663.
PF on a NAT works on IPv4 networks only.
No provision for zones.
PF works in and between Oracle Solaris Zones.
Non-global zones can use PF.
Filtering between zones is supported in zones that function as virtual routers for the other zones on the system.

For additional information, see Guidelines for Using Packet Filter in Oracle Solaris and Configuring the Packet Filter Firewall.

Guidelines for Using Packet Filter in Oracle Solaris