Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018

Preparing to Configure the Oracle Solaris Firewall

This section describes the basic firewall rule set that Oracle Solaris provides for you to modify or replace, and the pflog service for logging PF packets.

Basic Firewall Protection Rule Set

The pf.conf file in the firewall package provides a basic firewall only. If you reboot the system with an invalid pf.conf file, Oracle Solaris loads this basic rule set.

The basic rule set is similar to the following:

## PF does IP reassembly by default. 
## On Oracle Solaris, the 'no-df' option ensures that IP reassembly works
## with broken stacks that send packets with the invalid flag combination 'MF|DF'.
set reassemble yes no-df
## Ignore loopback traffic by default.
## Filtering on loopback can interfere with zone installation and other
## operations due to Oracle Solaris optimizations. See the pf.conf(5)
## man page for guidance on how to enable it for your application.
set skip on lo0

This initial configuration enables you to reach the system remotely by using Secure Shell and modify the firewall.

Using Packet Filter Logging

Packet filter logging is an additional SMF service in PF. To log packet filter events, you need to install the logging package, enable the logging service, and have log actions in your PF rules. The package name is network/firewall/firewall-pflog and the default logging service instance is pflog:default.

    The following describes the overall process:

  1. A pflog service instance creates a capture datalink. The datalink is stored as the value of the service property interface.

  2. A packet enters PF and matches a rule with a log action.

  3. PF sends the matched packet to the capture datalink specified by the log action. If no capture datalink is specified, PF uses the default (pflog0) capture datalink.

  4. The pflog service instance that reads the capture datalink uses its filter expression to determine whether to write the packet to the log. The default service instance has no filter expression, so all packets are written to the log.

  5. The administrator archives the log files, refreshes the pflog service to restart the logging, and moves the log files to another system for inspection.

    The log file written by the pflog daemon is in libpcap format. Oracle Solaris provides several tools that can read this format, including tcpdump and tshark. For more information, see the tcpdump(1), tshark(1), and pcap (3PCAP) man pages.

Tip  -  For ease of configuration and debugging, name your capture datalink and log file identically by ending pflog service instance names with a number, such as pflog1 or pflog21.

Initially, packet logging uses the pflog:default service instance, which sends packets to the pflog0.pkt log file. You might want to create new service instances for packets that arrive on a particular port, or for packets that need a longer snaplen, or for debugging or other purposes. For the properties that you can specify for a pflog service instance, see the pflogd (8) man page.

To see the initial values of the default pflog service properties, run the following command on a newly-installed system:

% svcprop -g application pflog
pflog/delay integer 60
pflog/filter astring ""
pflog/interface astring pflog0
pflog/logfile astring /var/log/firewall/pflog/pflog0.pkt
pflog/snaplen integer 160

The following examples illustrate typical log file administration tasks. For more examples, see the pflogd (8) man page.

Example 4  Creating a New pflog Service Instance

The following command creates a new instance called pflssh1 for logging packets whose source or destination is port 22.

$ pflogd -C pflssh1 port 22

The following command shows the configuration of the instance, including its log file and filter.

$ pflogd -c pflssh1
PF pflogd configuration:
        - logfile:
        - snaplen:
        - interface:
        - delay:
        - filter:
                port 22

When a packet matches a PF rule that includes the log (to pflssh1) action and port 22, the pflogd daemon adds a log entry to the pflssh1.pkt file from the capture datalink.

For example, packets that match the following rule become entries in the pflssh1.pkt file:

pass in log (to pflssh1) proto tcp to any port 22

Note that packets from a remote host to another remote host's port 22 will be logged.

Similarly, as an example of the second level of filtering, packets from or to port 22 will be logged by this rule:

pass in log (to pflssh1) proto tcp from any to any
Example 5  Specifying a Log File for a pflog Service Instance

In this example, the logs of the new service instance are placed in a directory below the /var/log/firewall/pflog/ directory.

$ pflogd -C debug0 -f /var/log/firewall/pflog/debug/debug0.pkt
Example 6  Dedicating a PF Log File to One Rule

In this example, the administrator logs only packets that match a given rule to a capture datalink and subsequent log file.

First, the administrator creates the dedicated pflog instance.

$ pflogd -C pflog21

Then, the administrator specifies the capture datalink in the rule.

pass in log (to pflog21) proto tcp from any to any port = 21

The path to the log file is /var/log/firewall/pflog/pflog21.pkt.

Example 7  Rotating PF Log Files

The following command archives the current log. After the administrator refreshes the service, the pflog0.pkt log file is empty and ready for new entries.

$ mv /var/log/firewall/pflog/pflog0.pkt /var/log/firewall/pflog/archive1pflog0.pkt
$ svcadm refresh pflog:default

The administrator copies the archived files to another system for inspection.

# scp /var/log/firewall/pflog/archive*.pkt username@


Caution  -  Do not store packets from different pflog instances in the same log file. And, do not have more than one instance use the same capture datalink simultaneously.