The features of IP Filter and Packet Filter (PF) do not match exactly. Therefore, no conversion tool to map IP Filter configurations to Packet Filter configurations is possible. The best strategy when converting network policies, including firewall policies, from one product to another is to review the requirements and specifications and then implement policies using the new tool. For an example of a PF configuration file that implements the network policy of an IP Filter configuration file, see Example 7, PF Configuration File Based on an IP Filter Configuration File.
The following table compares the Oracle Solaris implementation of PF with IP Filter. Figure 4, Table 4, Differences Between OpenBSD PF and Oracle Solaris PF compares the Oracle Solaris implementation of PF with OpenBSD PF.
|
The following table describes the differences between the OpenBSD implementation of PF and the Oracle Solaris version. For OpenBSD features that Oracle Solaris does not include, see Introduction to Packet Filter.
|
For additional information, see Guidelines for Using Packet Filter in Oracle Solaris and Configuring the Packet Filter Firewall.
When using PF, note the following guidelines:
To install and use the PF firewall, see How to Configure the PF Firewall on Oracle Solaris.
The solaris-small-server, solaris-large-server, and solaris-desktop group packages install the IP Filter service by default.
Use SMF commands, such as svcadm enable firewall, to manage PF. For when to use the pfctl command, see Using PF Features to Administer the Firewall.
For an overview of SMF, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.3. For SMF procedures, see Chapter 3, Administering Services in Managing System Services in Oracle Solaris 11.3.
To administer PF, become an administrator who is assigned the Network Firewall Management rights profile. The root role includes this profile.
Best practice is to assign the Network Firewall Management rights profile to a user or to a role that you create. To create the role and assign the role to a user, see Creating a Role in Securing Users and Processes in Oracle Solaris 11.3.
To edit the pf.conf configuration file, use the pfedit command. After editing, use the pfctl -nf command to verify the syntax and refresh the firewall service.
Use macros and tables to simplify rules and enhance performance. For more information, see Packet Filter Macros and Tables.
Install the firewall-pflog package to enable packet filter logging. For more information, see Packet Filter Logging and Using Packet Filter Logging.