Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018

How to Monitor the PF Firewall on Oracle Solaris

Monitoring includes viewing firewall service properties, viewing rules as they are running or viewing possible rule sets, and reviewing log files.

Before You Begin

You must become an administrator who is assigned the Network Firewall Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Examine the status of the firewall service.
    • Determine whether the Packet Filter service is enabled.
      $ svcs -x firewall:default
      svc:/network/firewall:default (Network Firewall)
       State: disabled since Fri Apr 10 10:10:50 2015
      Reason: Disabled by an administrator.
         See: http://oracle.com/msg/SMF-8000-05
         See: pf.conf(5)
         See: /var/svc/log/network-firewall:default.log
      Impact: This service is not running.
    • List the configuration file names and locations for the Packet Filter service.
      $ svccfg -s firewall:default listprop | grep firewall
      firewall                      application   
      firewall/fingerprints         astring     /etc/firewall/pf.os
      firewall/rules                astring     /etc/firewall/pf.conf
      firewall/value_authorization  astring     solaris.smf.value.network.firewall
      restarter/logfile             astring     /var/svc/log/network-firewall:default.log
  2. Examine your firewall rules.
    • Examine the current rules in your firewall configuration.

      The following example shows output from the packet filtering rule set that is loaded in the kernel.

      # pfctl -s rules
      empty list for firewall(out)
      pass in quick on net1 from to any
      pass in all
      block in on net1 from to any
    • Verify that a possible firewall configuration is syntactically correct.

      The following command checks the syntax of a rules file. This check does not load rules into the kernel.

      # pfctl -n -f /test/firewall/pf.conf
  3. Examine the log files.

    You can use utilities that read files in libpcap format, such as tcpdump or tshark. For more information, see the tcpdump(1), tshark(1), and pcap (3PCAP) man pages.