The examples in this section illustrate PF rules and rule sets.
Configuration files follow standard UNIX syntax rules:
The pound sign (#) indicates a comment.
Rules and comments can coexist on the same line.
Extraneous white space is allowed for readability.
Rules can be more than one line long. A backslash (\) at the end of a line indicates that the rule continues on the next line.
This example shows a configuration on two host systems with multiple network interfaces. This example extends the example used in Example 10, Showing, Testing, and Deleting Firewall Interface Groups.
The same PF configuration file is loaded on both systems, but the lan, wan, and imap firewall interface groups have different members on the two hosts. The administrator sets the fwifgroup property with the ipadm command per interface to add the interfaces to the groups that enforce the policy.
HostA has the following interfaces: net0, net1, vnic3, vnic4, and vnic5.
HostB has the following interfaces: net0, net1, and net2.
The following PF configuration file is loaded at boot on both systems:
## Policy for members of lan, imap, and wan groups block from any to any pass in on lan from 198.51.100.0/27 to any pass quick on imap proto tcp from 198.51.100.0/27 to any \ port=imaps received-on lan pass out on wan from 198.51.100.0/27 to any received-on lan ...
The following commands ensure that the interfaces are added to the correct groups. On HostA, the administrator runs the following commands:
# ipadm set-ifprop -p fwifgroup+=wan -m ip net0 # ipadm set-ifprop -p fwifgroup+=imap -m ip net1 # for i in `ipadm show-if -p -o ifname|grep vnic` ; do > ipadm set-ifprop -p fwifgroup+=lan -m ip $i; > done
On HostB, the administrator runs the following commands:
# ipadm set-ifprop -p fwifgroup+=wan -m ip net0 # ipadm set-ifprop -p fwifgroup+=imap -m ip net0 # ipadm set-ifprop -p fwifgroup+=lan -m ip net1 # ipadm set-ifprop -p fwifgroup+=lan -m ip net2Example 12 Sample PF Configuration File
This annotated file expands on the basic protection rule set. The firewall uses these rules whenever the firewall service goes into maintenance mode. For example, a syntax error might put the service into maintenance mode.
## make IP reassembly work set reassemble yes no-df ## block everything unless told otherwise ## and send TCP-RST/ICMP unreachable ## for every packet which gets blocked block return ## accept incoming SSH connections pass in proto tcp to any port 22 ## allow incoming messages from DHCP pass in inet proto udp from port 67 to port 68 pass in inet6 proto udp from port 547 to port 546 ## packet too big - needed for PMTUD pass in inet6 proto ipv6-icmp icmp6-type 2 ## router advertisement pass in inet6 proto ipv6-icmp icmp6-type 134 ## neighbor solicitation pass in inet6 proto ipv6-icmp icmp6-type 135 ## neighbor advertisement pass in inet6 proto ipv6-icmp icmp6-type 136 ## allow all connections initiated from this system, ## including DHCP requests pass out