Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

How to Configure the Firewall on Oracle Solaris

To run PF as your firewall, you configure the pf.conf file to reflect your policy, then enable the firewall service. To log PF events, see Using Packet Filter Logging.

Before You Begin

To configure the firewall service, you must become an administrator who is assigned the Network Firewall Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Install the PF package.

    Perform this step if you did not install a group that contains the PF package. The solaris-small-server, solaris-large-server, and solaris-desktop group packages include the PF package. You must become an administrator who is assigned the Software Installation rights profile.

    $ pfbash pkg install firewall
  2. Create or update your packet filtering rule set and verify the syntax.
    $ pfedit /etc/firewall/pf.conf
    $ pfctl -nf /etc/firewall/pf.conf

    For sample rules, see Packet Filter Macros, Tables, and Interface Groups and Examples of PF Rules Compared to IPF Rules.


    Note -  If you are using a service, such as ftp-proxy, you need to add an anchor entry, such as anchor "ftp/*", at an appropriate place in your pf.conf file.
  3. Enable PF.
    $ svcadm enable firewall
    • If the PF configuration file is empty and you enable the firewall service, some traffic filtering occurs. For example, PF drops TCP packets with invalid flag combinations.

    • If you provide an invalid pf.conf file before enabling the service, the firewall service loads the Basic Protection Rule Set, which puts the service into the degraded state.

  4. (Optional) Verify that the PF driver is running.

    The version number is listed in the output.

    $ modinfo -i pf
    ID  LOADADDR         SIZE   INFO REV NAMEDESC
    244 --               3fdd0  137  1   pf (PF 5.5)
  5. Enable the pflog:default service if you plan to log packets.
    $ svcadm enable pflog:default

    The default location for the log is /var/log/firewall/pflog/pflog0.pkt.


    Tip  -  Schedule regular rotation of PF log files.

    For examples of configuring packet logging, see Using Packet Filter Logging and the pflogd (8) man page.

  6. (Optional) To disable the service, use the svcadm command.
    $ svcadm disable network/firewall

    This command removes all rules from the kernel and disables the service. You might disable the firewall on a system that you have disconnected from the network or that you are decommissioning.