This section describes the basic firewall rule set that Oracle Solaris provides for you to modify or replace, and the pflog service for logging PF packets.
The pf.conf file in the firewall package provides a basic firewall only. If you reboot the system with an invalid pf.conf file, Oracle Solaris loads this basic rule set.
The basic rule set is similar to the following:
## PF does IP reassembly by default. ## On Oracle Solaris, the 'no-df' option ensures that IP reassembly works ## with broken stacks that send packets with the invalid flag combination 'MF|DF'. ## set reassemble yes no-df ## ## Ignore loopback traffic by default. ## ## Filtering on loopback can interfere with zone installation and other ## operations due to Oracle Solaris optimizations. See the pf.conf(5) ## man page for guidance on how to enable it for your application. set skip on lo0
This initial configuration enables you to reach the system remotely by using Secure Shell and modify the firewall.
Logging packets is an additional SMF service in PF. To log packets, you need to enable the logging service and add log actions in your PF rules. The default logging service instance is pflog:default.
The following describes the overall process:
A pflog service instance creates a capture datalink. The datalink is stored as the value of the service property interface.
A packet enters PF and matches a rule with a log action.
PF sends the matched packet to the capture datalink specified by the log action. If no capture datalink is specified, PF uses the default (pflog0) capture datalink.
The pflog service instance that reads the capture datalink might attach a BPF filter to the capture link, similar to what tcpdump might do. The filter selects a subset of the packet to log. If no filter expression exists, which is the default, all packets are sent to the pflog daemon and then copied into the log.
The log file written by the pflog daemon is in libpcap format. Oracle Solaris provides several tools that can read this format, including tshark, tcpdump, and Wireshark. For more information, see the tcpdump(1), tshark(1), and pcap (3PCAP) man pages.
Initially, packet logging uses the pflog:default service instance, which sends packets to the pflog0.pkt log file. You might want to create new service instances for packets that arrive on a particular port, or for packets that need a longer snaplen, or for debugging or other purposes. For the properties that you can specify for a pflog service instance, see the pflogd (8) man page.
To see the initial values of the default pflog service properties, run the following command on a newly-installed system:
$ svcprop -g application pflog pflog/delay integer 60 pflog/filter astring "" pflog/interface astring pflog0 pflog/logfile astring /var/log/firewall/pflog/pflog0.pkt pflog/snaplen integer 160
The following examples illustrate typical log file administration tasks. For more examples, see the pflogd (8) man page.Example 4 Creating a New pflog Service Instance
The following command creates a new instance called pflssh1 for logging packets whose source or destination is port 22.
$ pfbash pflogd -C pflssh1 port 22
The following command shows the configuration of the instance, including its log file and filter.
$ pflogd -c pflssh1 PF pflogd configuration: - logfile: /var/log/firewall/pflog/pflssh1.pkt - snaplen: 160 - interface: pflssh1 - delay: 60 - filter: port 22
When a packet matches a PF rule that includes the log (to pflssh1) action and port 22, the pflogd daemon adds a log entry to the pflssh1.pkt file from the capture datalink.
For example, packets that match the following rule become entries in the pflssh1.pkt file:
pass in log (to pflssh1) proto tcp to any port 22
Note that packets from a remote host to another remote host's port 22 will be logged.
Similarly, as an example of selective filtering, packets from or to port 22 will be logged by this rule:
pass in log (to pflssh1) proto tcp from any to anyExample 5 Specifying a Log File for a pflog Service Instance
In this example, the logs of the new service instance are placed in the debug/debug0.pkt directory below the /var/log/firewall/pflog/ directory.
$ pfbash pflogd -C debug0 -f /var/log/firewall/pflog/debug/debug0.pktExample 6 Rotating PF Log Files
The following command archives the current log. After the administrator refreshes the service, the pflog0.pkt log file is empty and ready for new entries.
$ pfbash mv /var/log/firewall/pflog/pflog0.pkt /var/log/firewall/pflog/archive1pflog0.pkt $ svcadm refresh pflog:default
The administrator copies the archived files to another system for inspection.
# scp /var/log/firewall/pflog/archive*.pkt email@example.com:/logs/pflogs/
Caution - Do not store packets from different pflog instances in the same log file. And, do not have more than one instance use the same capture datalink simultaneously.