Securing the Network in Oracle^® Solaris 11.3

Comparing PF in Oracle Solaris to IP Filter and to OpenBSD Packet Filter

The features of IP Filter and Packet Filter (PF) do not match exactly. Therefore, no conversion tool to map IP Filter configurations to Packet Filter configurations is possible. The best strategy when converting network policies, including firewall policies, from one product to another is to review the requirements and specifications and then implement policies using the new tool. For an example of a PF configuration file that implements the network policy of an IP Filter configuration file, see Example 7, PF Configuration File Based on an IP Filter Configuration File.

Comparing IP Filter and Oracle Solaris Packet Filter

The following table compares the Oracle Solaris implementation of PF with IP Filter. Figure 4, Table 4, Differences Between OpenBSD PF and Oracle Solaris PF compares the Oracle Solaris implementation of PF with OpenBSD PF.

Table 3  Comparison of IP Filter and Packet Filter on Oracle Solaris

Firewall Feature IP Filter Oracle Solaris PF Implementation Configuration files Several, such as ippool.conf, ipnat.conf, and ipv6.conf One pf.conf file Ease of understanding the rules Complex syntax Shortcuts such as macros and tables aid readability IPv4 and IPv6 packet fragments Administrator must explicitly turn on reassembly IP reassembly is on by default Loopback interface protection Must be enabled by set intercept_loopback true; Firewall always intercepts packets on loopback interface Package name ipfilter firewall OS signature file None pf.os pass rules Stateless by default Stateful by default Rights profile IP Filter Management Network Firewall Management SMF service name ipfilter firewall, which requires PF configuration before enabling the service, plus the pflog service Packet logging Uses /dev/ipl character device to pass logged packets to ipmon service. Uses capture links (pseudo links) to pass packets from kernel to userland. Packets are then read by pflog service or can be read by tcpdump and Wireshark.

Comparing Oracle Solaris Packet Filter and OpenBSD Packet Filter

The following table describes the differences between the OpenBSD implementation of PF and the Oracle Solaris version. For OpenBSD features that Oracle Solaris does not include, see Introduction to Packet Filter.

Table 4  Differences Between OpenBSD PF and Oracle Solaris PF

OpenBSD PF Behavior Oracle Solaris PF Behavior Difference in Oracle Solaris PF OpenBSD provides PF as part of a base system. Administrators install PF as an IPS package. IPS repositories provide security for data at rest and data in transit. pfctl command manages the firewall. svc* commands manage the firewall, which is an SMF service. SMF commands supplement pfctl functionality. NAT works over IPv4 and IPv6 networks. OpenBSD supports NAT-64 as described by RFC 6146, while Oracle Solaris supports traditional NAT only, as described by RFC 2663. PF supports NAT on IPv4 networks only. No provision for zones. PF works in and between Oracle Solaris Zones. Non-global zones can use PF. Filtering between zones is supported in zones that function as virtual routers for the other zones on the system.

For additional information, see Guidelines for Using Packet Filter in Oracle Solaris and Configuring the Packet Filter Firewall.

Guidelines for Using Packet Filter in Oracle Solaris

When using PF, note the following guidelines:

• To install and use the PF firewall, see How to Configure the PF Firewall on Oracle Solaris.

  The solaris-small-server, solaris-large-server, and solaris-desktop group packages install the IP Filter service by default.

• Use SMF commands, such as svcadm enable firewall, to manage PF. For when to use the pfctl command, see Using PF Features to Administer the Firewall.

  For an overview of SMF, see Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.3. For SMF procedures, see Chapter 3, Administering Services in Managing System Services in Oracle Solaris 11.3.

• To administer PF, become an administrator who is assigned the Network Firewall Management rights profile. The root role includes this profile.

  Best practice is to assign the Network Firewall Management rights profile to a user or to a role that you create. To create the role and assign the role to a user, see Creating a Role in Securing Users and Processes in Oracle Solaris 11.3.

• To edit the pf.conf configuration file, use the pfedit command. After editing, use the pfctl -nf command to verify the syntax and refresh the firewall service.

• Use macros and tables to simplify rules and enhance performance. For more information, see Packet Filter Macros and Tables.

• Install the firewall-pflog package to enable packet filter logging. For more information, see Packet Filter Logging and Using Packet Filter Logging.