Groups enable you to write one firewall policy for a type of network traffic, then apply the policy to the appropriate interfaces on different systems. Members of an interface group handle similar types of traffic. For example, a group of interfaces that filter LAN traffic could be added to the group "lan".
Typical names are lan, wan, email, and imap. The names should identify the purpose of the group, such as the type of traffic being filtered.
.
For example, the following rule uses the group name lan.
pass in on lan from 198.51.100.0/27 to any
PF cannot use the group name to filter packets until you make the group name a property of the interface.
For example, on HostB, the net1 and net2 interfaces provide the LAN firewall. The following command makes the group a property of the interface.
HostB# ipadm set-ifprop -p fwifgroup+=lan -m ip net1 HostB# ipadm set-ifprop -p fwifgroup+=lan -m ip net2
See Example 10, Showing, Testing, and Deleting Firewall Interface Groups. For a fuller example, see Example 11, PF Configuration File Using Firewall Interface Groups.
In this example, the administrator uses the –t option to the ipadm command to modify the active PF configuration file in the preceding task on two hosts. On reboot, the original persistent configuration is restored.
HostA has the following interfaces: net0, net1, vnic3, vnic4, and vnic5.
HostB has the following interfaces: net0, net1, and net2.
The administrator adds the appropriate interfaces to the lan group.
HostA# for i in `ipadm show-if -p -o ifname|grep vnic` ; do > ipadm set-ifprop -t -p fwifgroup+=lan -m ip $i; > done HostB# ipadm set-ifprop -t -p fwifgroup+=lan -m ip net1 HostB# ipadm set-ifprop -t -p fwifgroup+=lan -m ip net2
On each system, the administrator lists the firewall interface groups.
HostA$ ipadm show-ifprop -p fwifgroup IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE lo0 fwifgroup ip rw -- -- -- -- net0 fwifgroup ip rw -- -- -- -- net1 fwifgroup ip rw -- -- -- -- vnic3 fwifgroup ip rw lan -- -- lan vnic4 fwifgroup ip rw lan -- -- lan vnic5 fwifgroup ip rw lan -- -- lan HostB$ ipadm show-ifprop -p fwifgroup IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE lo0 fwifgroup ip rw -- -- -- -- net0 fwifgroup ip rw lan -- -- lan net1 fwifgroup ip rw lan -- -- lan
The administrator can also list the firewall interface groups per interface.
HostA$ ipadm show-ifprop -p fwifgroup vnic3 IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE vnic3 fwifgroup ip rw lan -- -- lan
After some testing, the administrator removes net0 from the lan firewall interface group on HostB, and removes all interface groups from vnic3 on HostA.
HostB# ipadm set-ifprop -p fwifgroup-=lan -m ip net0 HostA$ ipadm reset-ifprop -t -p fwifgroup -m ip vnic3
The fwifgroup- argument removes one group assignment from net0.
HostB# ipadm set-ifprop -p fwifgroup-=lan -m ip net0
The reset-ifprop subcommand removes all group assignments from vnic3.
HostA# ipadm reset-ifprop -t -p fwifgroup -m ip vnic3
If the administrator removes all firewall interface group assignments, the group name remains in the PF configuration file but is not used for packet filtering.