To run PF as your firewall, you configure the pf.conf file to reflect your policy, then enable the firewall service. To log PF events, see Using Packet Filter Logging.
Before You Begin
To configure the firewall service, you must become an administrator who is assigned the Network Firewall Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Perform this step if you did not install a group that contains the PF package. The solaris-small-server, solaris-large-server, and solaris-desktop group packages include the PF package. You must become an administrator who is assigned the Software Installation rights profile.
$ pfbash pkg install firewall
$ pfedit /etc/firewall/pf.conf $ pfctl -nf /etc/firewall/pf.conf
For sample rules, see Packet Filter Macros, Tables, and Interface Groups and Examples of PF Rules Compared to IPF Rules.
$ svcadm enable firewall
If the PF configuration file is empty and you enable the firewall service, some traffic filtering occurs. For example, PF drops TCP packets with invalid flag combinations.
If you provide an invalid pf.conf file before enabling the service, the firewall service loads the Basic Protection Rule Set, which puts the service into the degraded state.
The version number is listed in the output.
$ modinfo -i pf ID LOADADDR SIZE INFO REV NAMEDESC 244 -- 3fdd0 137 1 pf (PF 5.5)
$ svcadm enable pflog:default
The default location for the log is /var/log/firewall/pflog/pflog0.pkt.
For examples of configuring packet logging, see Using Packet Filter Logging and the pflogd (8) man page.
$ svcadm disable network/firewall
This command removes all rules from the kernel and disables the service. You might disable the firewall on a system that you have disconnected from the network or that you are decommissioning.