Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

Preparing to Configure the Oracle Solaris Firewall

This section describes the basic firewall rule set that Oracle Solaris provides for you to modify or replace, and the pflog service for logging PF packets.

Basic Firewall Protection Rule Set

The pf.conf file in the firewall package provides a basic firewall only. If you reboot the system with an invalid pf.conf file, Oracle Solaris loads this basic rule set.

The basic rule set is similar to the following:

## PF does IP reassembly by default. 
## On Oracle Solaris, the 'no-df' option ensures that IP reassembly works
## with broken stacks that send packets with the invalid flag combination 'MF|DF'.
##
set reassemble yes no-df
##
## Ignore loopback traffic by default.
## 
## Filtering on loopback can interfere with zone installation and other
## operations due to Oracle Solaris optimizations. See the pf.conf(5)
## man page for guidance on how to enable it for your application.
set skip on lo0

This initial configuration enables you to reach the system remotely by using Secure Shell and modify the firewall.

Using Packet Filter Logging

Logging packets is an additional SMF service in PF. To log packets, you need to enable the logging service and add log actions in your PF rules. The default logging service instance is pflog:default.

    The following describes the overall process:

  1. A pflog service instance creates a capture datalink. The datalink is stored as the value of the service property interface.

  2. A packet enters PF and matches a rule with a log action.

  3. PF sends the matched packet to the capture datalink specified by the log action. If no capture datalink is specified, PF uses the default (pflog0) capture datalink.

  4. The pflog service instance that reads the capture datalink might attach a BPF filter to the capture link, similar to what tcpdump might do. The filter selects a subset of the packet to log. If no filter expression exists, which is the default, all packets are sent to the pflog daemon and then copied into the log.

  5. The administrator archives the log files, refreshes the pflog service to restart the logging, and moves the log files to another system for inspection.

    The log file written by the pflog daemon is in libpcap format. Oracle Solaris provides several tools that can read this format, including tshark, tcpdump, and Wireshark. For more information, see the tcpdump(1), tshark(1), and pcap (3PCAP) man pages.


Tip  -  For ease of configuration and debugging, name your capture datalink and log file identically by ending pflog service instance names with a number, such as pflog1 or pflog21.

Initially, packet logging uses the pflog:default service instance, which sends packets to the pflog0.pkt log file. You might want to create new service instances for packets that arrive on a particular port, or for packets that need a longer snaplen, or for debugging or other purposes. For the properties that you can specify for a pflog service instance, see the pflogd (8) man page.

To see the initial values of the default pflog service properties, run the following command on a newly-installed system:

$ svcprop -g application pflog
pflog/delay integer 60
pflog/filter astring ""
pflog/interface astring pflog0
pflog/logfile astring /var/log/firewall/pflog/pflog0.pkt
pflog/snaplen integer 160

The following examples illustrate typical log file administration tasks. For more examples, see the pflogd (8) man page.

Example 4  Creating a New pflog Service Instance

The following command creates a new instance called pflssh1 for logging packets whose source or destination is port 22.

$ pfbash pflogd -C pflssh1 port 22

The following command shows the configuration of the instance, including its log file and filter.

$ pflogd -c pflssh1
PF pflogd configuration:
        - logfile:
                /var/log/firewall/pflog/pflssh1.pkt
        - snaplen:
                160
        - interface:
                pflssh1
        - delay:
                60
        - filter:
                port 22

When a packet matches a PF rule that includes the log (to pflssh1) action and port 22, the pflogd daemon adds a log entry to the pflssh1.pkt file from the capture datalink.

For example, packets that match the following rule become entries in the pflssh1.pkt file:

pass in log (to pflssh1) proto tcp to any port 22

Note that packets from a remote host to another remote host's port 22 will be logged.

Similarly, as an example of selective filtering, packets from or to port 22 will be logged by this rule:

pass in log (to pflssh1) proto tcp from any to any
Example 5  Specifying a Log File for a pflog Service Instance

In this example, the logs of the new service instance are placed in the debug/debug0.pkt directory below the /var/log/firewall/pflog/ directory.

$ pfbash pflogd -C debug0 -f /var/log/firewall/pflog/debug/debug0.pkt
Example 6  Rotating PF Log Files

The following command archives the current log. After the administrator refreshes the service, the pflog0.pkt log file is empty and ready for new entries.

$ pfbash mv /var/log/firewall/pflog/pflog0.pkt /var/log/firewall/pflog/archive1pflog0.pkt
$ svcadm refresh pflog:default

The administrator copies the archived files to another system for inspection.

# scp /var/log/firewall/pflog/archive*.pkt username@192.0.2.44:/logs/pflogs/

Caution

Caution  -  Do not store packets from different pflog instances in the same log file. And, do not have more than one instance use the same capture datalink simultaneously.