Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

How to Configure the PF Firewall on Oracle Solaris

To run PF as your firewall, you configure the pf.conf file to reflect your policy, then enable the firewall service. To log PF events, see Using Packet Filter Logging.

Before You Begin

To install the firewall package, you must become an administrator who is assigned the Software Installation rights profile. To configure the firewall service, you must become an administrator who is assigned the Network Firewall Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Install the PF package.
    $ pfbash pkg install firewall
  2. Create or update your packet filtering rule set and verify the syntax.
    $ pfedit /etc/firewall/pf.conf
    $ pfctl -nf /etc/firewall/pf.conf

    For sample rules, see Packet Filter Macros and Tables and Examples of PF Rules Compared to IPF Rules.

    Tip  -  In PF, you can put rule sets in different files, though this arrangement is not the default. To do so, you add an INCLUDE statement to the PF configuration file for the main (root) rule set.
    $ pfedit /etc/firewall/pf.conf
    include "/etc/firewall/pfzones.conf"

  3. Enable PF.
    $ svcadm enable firewall

    If you do not provide a valid pf.conf file before enabling the service, PF loads the basic rule set and provides an annotated pf.conf file. The rules are similar to the rules in Basic Firewall Protection Rule Set.

    Note -  If the PF configuration file is empty and you enable the firewall service, some traffic filtering occurs. For example, PF drops TCP packets with invalid flag combinations.
  4. (Optional) Determine the version of PF that is running.
    $ modinfo -i pf
    199 --               5e258  6    1   pf (PF 5.5)

    The version number is listed in the NAMEDESC column.

  5. Load the packet logging package and enable the pflog:default service.
    $ pkg install firewall-pflog
    $ svcadm enable pflog:default

    The default location for the log is /var/log/firewall/pflog/pflog0.pkt.

    Tip  -  Schedule regular rotation of PF log files.

    For examples of configuring packet logging, see Using Packet Filter Logging and the pflogd (8) man page.

  6. (Optional) To disable the service, use the svcadm command.
    $ svcadm disable network/firewall

    This command removes all rules from the kernel and disables the service. You might disable the firewall on a system that you have disconnected from the network or that you are decommissioning.