Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018

Strategies for Converting IPF Rules to PF Rules

If you have IPF rules to migrate to PF rules, you need to be clear about what policy you are trying to enforce and create PF rules that reflect the policy.

    Some PF features can help you test portions of your rules, display the syntax of the rules and order of execution, and perform other useful transition tasks.

  • You can place rules in different files in PF, though this arrangement is not the default. To do so, you add an INCLUDE statement to the PF configuration file.

    $ pfedit /etc/firewall/pf.conf
    include "/etc/firewall/pfzones.conf"
  • You can use options to the pfctl command to test and display your firewall policy.

    • Use the –a and –sr options to display the main rule set.

      $ pfctl -a '*' -sr
    • Use the –n option to check the syntax of a rule file without loading the rules into the kernel. For example, the following command checks the syntax of the rules in the pf.conf file in the /etc/firewall/test directory.

      $ pfctl -n -f /etc/firewall/test/pf.conf
    • Use the –x option to set the debugging level. The default debugging level is error.

      # pfctl -x debug
      # dmesg

      The debug messages print to the console only. The dmseg command finds recent diagnostic messages in the system buffer and prints them to standard output.

    • Use the –g option to include output useful for debugging after setting the debugging level.

      $ pfctl -x debug -g -f testfile -n
    • Use the –v and –vv options to display verbose output.

      $ pfctl -vv
    • Use the –r option to perform reverse DNS lookups on states when displaying them.

    For more options, see the pfctl(1M) man page.

For an example of an entire IP Filter configuration file changed to a PF configuration file, see Example 8, PF Configuration File Based on an IP Filter Configuration File.