Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018

How to Configure the PF Firewall on Oracle Solaris

To run PF as your firewall, you configure the pf.conf file to reflect your policy, then enable the firewall service. To log PF events, see Using Packet Filter Logging.

Before You Begin

To install the firewall package, you must become an administrator who is assigned the Software Installation rights profile. To configure the firewall service, you must become an administrator who is assigned the Network Firewall Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Install the PF package.

    Perform this step if you did not install a group that contains the PF package. The solaris-small-server, solaris-large-server, and solaris-desktop group packages include the PF package.

    $ pkg install firewall
  2. Create or update your packet filtering rule set.
    $ pfedit /etc/firewall/pf.conf

    For sample rules, see Packet Filter Macros and Tables and Examples of PF Rules Compared to IPF Rules.

  3. Enable PF.
    # svcadm enable firewall

    If you do not provide a valid pf.conf file before enabling the service, PF loads the basic rule set and provides an annotated pf.conf file. The rules are similar to the rules in Basic Firewall Protection Rule Set.

    Note -  If you empty the configuration file and enable the firewall service, some traffic filtering occurs. For example, PF drops TCP packets with invalid flag combinations.
  4. (Optional) Determine the version of PF that is running.
    $ modinfo -i pf
    197 --               5b1f8  6    1   pf (PF 5.5)

    The version number is listed in the NAMEDESC column.

  5. Load the packet logging package and enable the pflog:default service.
    $ pkg install firewall-pflog
    $ svcadm enable pflog:default

    The default location for the log is /var/log/firewall/pflog/pflog0.pkt.

    Tip  -  Schedule regular rotation of PF log files.

    For examples of configuring packet logging, see Using Packet Filter Logging and the pflogd (8) man page.

  6. (Optional) To disable the service, use the svcadm command.
    # svcadm disable network/firewall

    This command removes all rules from the kernel and disables the service. You might disable the firewall on a system that you have disconnected from the network or that you are decommissioning.