Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

Packet Filter Configuration File and the firewall Service

PF uses the pf.conf file for all firewall configuration information. If you do not supply a pf.conf file at installation, Oracle Solaris provides the Default Rule Set From the firewall Package. The service then transitions to the degraded state, because this configuration provides no network protection. This state indicates that the administrator must properly configure the system's firewall policy.

    The firewall service loads a pf.conf file as follows:

  1. The start method calls the pfctl command to load the pf.conf file from location specified in the firewall/rules property.

    To list firewall service property values, see How to Monitor the PF Firewall on Oracle Solaris.

  2. If the load succeeds, the method runs the pfctl -e command to enable the firewall.

  3. If pf.conf fails to load, for example, due to a syntax error or a missing file, the method enables the firewall with the Basic Protection Rule Set.

See also the pf.conf(7) and pfctl(8) man pages.

Default Rule Set From the firewall Package

The /etc/firewall/pf.conf PF configuration file that the firewall package installs is similar to the following:

## PF does IP reassembly by default. 
# On Oracle Solaris, the 'no-df' option ensures that IP reassembly works
# with broken stacks that send packets with the invalid flag combination 'MF|DF'.
#
set reassemble yes no-df

#
# PF should not filter loopback traffic by default.
#
# Filtering on loopback can interfere with zone installation and other
# operations due to Oracle Solaris loopback optimizations. 
# See the pf.conf(7) man page for guidance on how to enable it 
# for your application.
set skip on lo0
##

This initial configuration provides no protection from network threats. If you enable the firewall service with this default configuration, the service transitions to the degraded state, because this configuration provides no network protection. This state indicates that the administrator must properly configure the system's firewall policy. For more information, see the pf.conf(7) man page.

Basic Protection Rule Set

Whenever the default firewall instance fails to start due to a misconfiguration, such as a syntax error in the configuration file or a non-existent configuration file, the service instance is put into the maintenance state. In this case, to ensure at least basic network security, the start method loads the following basic protection rule set:

## basic protection rule set
         # ignore traffic travelling within loopback
         set skip on lo0

         # block everything unless told otherwise and send TCP-RST/ICMP
         # unreachable for every packet which gets blocked
         block return

         # accept incoming SSH connections
         pass in proto tcp to any port 22

         # allow DHCP do its work - incoming messages
         pass in inet proto udp from port 67 to port 68
         pass in inet6 proto udp from port 547 to port 546

         # packet too big - needed for PMTUD
         pass in inet6 proto ipv6-icmp icmp6-type 2

         # router advertisement
         pass in inet6 proto ipv6-icmp icmp6-type 134

         # neighbor solicitation
         pass in inet6 proto ipv6-icmp icmp6-type 135

         # neighbor advertisement
         pass in inet6 proto ipv6-icmp icmp6-type 136

         # allow all connections initiated from this system, this
         # includes e.g. DHCP requests
         pass out