Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

Examples of PF Configuration Files

The examples in this section illustrate PF rules and rule sets.

    Configuration files follow standard UNIX syntax rules:

  • The pound sign (#) indicates a comment.

  • Rules and comments can coexist on the same line.

  • Extraneous white space is allowed for readability.

  • Rules can be more than one line long. A backslash (\) at the end of a line indicates that the rule continues on the next line.

For more detailed syntax information, see Packet Filter Rule Syntax and the pf.conf(7) man page.

Example 11  PF Configuration File Using Firewall Interface Groups

This example shows a configuration on two host systems with multiple network interfaces. This example extends the example used in Example 10, Showing, Testing, and Deleting Firewall Interface Groups.

The same PF configuration file is loaded on both systems, but the lan, wan, and imap firewall interface groups have different members on the two hosts. The administrator sets the fwifgroup property with the ipadm command per interface to add the interfaces to the groups that enforce the policy.

HostA has the following interfaces: net0, net1, vnic3, vnic4, and vnic5.

HostB has the following interfaces: net0, net1, and net2.

The following PF configuration file is loaded at boot on both systems:

## Policy for members of lan, imap, and wan groups
        block from any to any
        pass in on lan from 198.51.100.0/27 to any
        pass quick on imap proto tcp from 198.51.100.0/27 to any \
            port=imaps received-on lan
        pass out on wan from 198.51.100.0/27 to any received-on lan
...

The following commands ensure that the interfaces are added to the correct groups. On HostA, the administrator runs the following commands:

# ipadm set-ifprop -p fwifgroup+=wan -m ip net0
# ipadm set-ifprop -p fwifgroup+=imap -m ip net1
# for i in `ipadm show-if -p -o ifname|grep vnic` ; do
> ipadm set-ifprop -p fwifgroup+=lan -m ip $i;
> done

On HostB, the administrator runs the following commands:

# ipadm set-ifprop -p fwifgroup+=wan -m ip net0
# ipadm set-ifprop -p fwifgroup+=imap -m ip net0
# ipadm set-ifprop -p fwifgroup+=lan -m ip net1
# ipadm set-ifprop -p fwifgroup+=lan -m ip net2
Example 12  Sample PF Configuration File

This annotated file expands on the basic protection rule set. The firewall uses these rules whenever the firewall service goes into maintenance mode. For example, a syntax error might put the service into maintenance mode.

    ##  make IP reassembly work
    set reassemble yes no-df

    ## block everything unless told otherwise
    ## and send TCP-RST/ICMP unreachable
    ## for every packet which gets blocked
    block return

    ## accept incoming SSH connections
    pass in proto tcp to any port 22

    ## allow incoming messages from DHCP
    pass in inet proto udp from port 67 to port 68
    pass in inet6 proto udp from port 547 to port 546

    ## packet too big - needed for PMTUD
    pass in inet6 proto ipv6-icmp icmp6-type 2

    ## router advertisement
    pass in inet6 proto ipv6-icmp icmp6-type 134

    ## neighbor solicitation
    pass in inet6 proto ipv6-icmp icmp6-type 135

    ## neighbor advertisement
    pass in inet6 proto ipv6-icmp icmp6-type 136

    ## allow all connections initiated from this system,
    ## including DHCP requests
    pass out