To run PF as your firewall, you configure the pf.conf file to reflect your policy, then enable the firewall service. To log PF events, see Using Packet Filter Logging.
Before You Begin
To install the firewall package, you must become an administrator who is assigned the Software Installation rights profile. To configure the firewall service, you must become an administrator who is assigned the Network Firewall Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
$ pfbash pkg install firewall
$ pfedit /etc/firewall/pf.conf $ pfctl -nf /etc/firewall/pf.conf
For sample rules, see Packet Filter Macros and Tables and Examples of PF Rules Compared to IPF Rules.
$ svcadm enable firewall
If you do not provide a valid pf.conf file before enabling the service, PF loads the basic rule set and provides an annotated pf.conf file. The rules are similar to the rules in Basic Firewall Protection Rule Set.
$ modinfo -i pf ID LOADADDR SIZE INFO REV NAMEDESC 199 -- 5e258 6 1 pf (PF 5.5)
The version number is listed in the NAMEDESC column.
$ pkg install firewall-pflog $ svcadm enable pflog:default
The default location for the log is /var/log/firewall/pflog/pflog0.pkt.
For examples of configuring packet logging, see Using Packet Filter Logging and the pflogd (8) man page.
$ svcadm disable network/firewall
This command removes all rules from the kernel and disables the service. You might disable the firewall on a system that you have disconnected from the network or that you are decommissioning.