PF uses the pf.conf file for all firewall configuration information. If you do not supply a pf.conf file at installation, Oracle Solaris provides the Default Rule Set From the firewall Package. The service then transitions to the degraded state, because this configuration provides no network protection. This state indicates that the administrator must properly configure the system's firewall policy.
The firewall service loads a pf.conf file as follows:
The start method calls the pfctl command to load the pf.conf file from location specified in the firewall/rules property.
To list firewall service property values, see How to Monitor the PF Firewall on Oracle Solaris.
If the load succeeds, the method runs the pfctl -e command to enable the firewall.
If pf.conf fails to load, for example, due to a syntax error or a missing file, the method enables the firewall with the Basic Protection Rule Set.
The default location of the PF configuration file is /etc/firewall/pf.conf and the file contains:
set directives that tune various PF firewall parameters, such as timeouts, debug level, and IP fragment reassembly. See the set command in the OPTIONS section in the pf.conf(7) man page.
Firewall rules that set your network policy. For more detail, see Packet Filter Rule Syntax.
For sample rules, see Examples of PF Rules Compared to IPF Rules and Packet Filter Macros, Tables, and Interface Groups.
The /etc/firewall/pf.conf PF configuration file that the firewall package installs is similar to the following:
## PF does IP reassembly by default. # On Oracle Solaris, the 'no-df' option ensures that IP reassembly works # with broken stacks that send packets with the invalid flag combination 'MF|DF'. # set reassemble yes no-df # # PF should not filter loopback traffic by default. # # Filtering on loopback can interfere with zone installation and other # operations due to Oracle Solaris loopback optimizations. # See the pf.conf(7) man page for guidance on how to enable it # for your application. set skip on lo0 ##
This initial configuration provides no protection from network threats. If you enable the firewall service with this default configuration, the service transitions to the degraded state, because this configuration provides no network protection. This state indicates that the administrator must properly configure the system's firewall policy. For more information, see the pf.conf(7) man page.
Whenever the default firewall instance fails to start due to a misconfiguration, such as a syntax error in the configuration file or a non-existent configuration file, the service instance is put into the maintenance state. In this case, to ensure at least basic network security, the start method loads the following basic protection rule set:
## basic protection rule set # ignore traffic travelling within loopback set skip on lo0 # block everything unless told otherwise and send TCP-RST/ICMP # unreachable for every packet which gets blocked block return # accept incoming SSH connections pass in proto tcp to any port 22 # allow DHCP do its work - incoming messages pass in inet proto udp from port 67 to port 68 pass in inet6 proto udp from port 547 to port 546 # packet too big - needed for PMTUD pass in inet6 proto ipv6-icmp icmp6-type 2 # router advertisement pass in inet6 proto ipv6-icmp icmp6-type 134 # neighbor solicitation pass in inet6 proto ipv6-icmp icmp6-type 135 # neighbor advertisement pass in inet6 proto ipv6-icmp icmp6-type 136 # allow all connections initiated from this system, this # includes e.g. DHCP requests pass out