Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

How to Monitor the PF Firewall on Oracle Solaris

Monitoring includes viewing firewall service properties, viewing rules as they are running or viewing possible rule sets, and reviewing log files.

Before You Begin

You must become an administrator who is assigned the Network Firewall Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Examine the status of the firewall service.
    • Determine whether the Packet Filter service is enabled.
      $ svcs -x firewall:default
      svc:/network/firewall:default (Network Firewall)
       State: disabled since Fri Apr 10 10:10:50 2015
      Reason: Disabled by an administrator.
         See: http://oracle.com/msg/SMF-8000-05
         See: pf.conf(5)
         See: /var/svc/log/network-firewall:default.log
      Impact: This service is not running.
    • List the configuration file names and locations for the Packet Filter service.
      $ svcprop firewall:default | grep ^firewall
      firewall/default_rules_sha256 astring 7734b...bbb
      firewall/fingerprints astring /etc/firewall/pf.os
      firewall/rules astring /etc/firewall/pf.conf
      firewall/value_authorization astring solaris.smf.value.network.firewall
  2. Examine your firewall rules.
    • Examine the current rules in your firewall configuration.

      The following example shows output from the packet filtering rule set that is loaded in the kernel.

      $ pfbash pfctl -s rules
      empty list for firewall(out)
      pass in quick on net1 from 198.51.100.0/27 to any flags S/SA
      block drop in on net1 all
    • Verify that a possible firewall configuration is syntactically correct.

      The following command checks the syntax of a rules file. This check does not load rules into the kernel.

      $ pfctl -n -f /test/firewall/pf.conf
  3. Examine the log files.

    You can use utilities that read files in libpcap format, such as tcpdump or tshark. For more information, see the tcpdump(1), tshark(1), and pcap (3PCAP) man pages.

Troubleshooting

If you expect log file entries but they are not in the log file, make sure that you have used a valid name for a capture datalink. Strings that match the following pattern are a safe choice for a capture datalink interface name: [a-z][:alnum:]*[0-9]. So, for example, dashes and underscores should not be used.