This section describes the basic firewall rule set that Oracle Solaris provides for you to modify or replace, and the pflog service for logging PF packets.
The pf.conf file in the firewall package provides a basic firewall only. If you reboot the system with an invalid pf.conf file, Oracle Solaris loads this basic rule set.
The basic rule set is similar to the following:
## PF does IP reassembly by default. ## On Oracle Solaris, the 'no-df' option ensures that IP reassembly works ## with broken stacks that send packets with the invalid flag combination 'MF|DF'. ## set reassemble yes no-df ## ## Ignore loopback traffic by default. ## ## Filtering on loopback can interfere with zone installation and other ## operations due to Oracle Solaris optimizations. See the pf.conf(5) ## man page for guidance on how to enable it for your application. set skip on lo0
This initial configuration enables you to reach the system remotely by using Secure Shell and modify the firewall.
Packet filter logging is an additional SMF service in PF. To log packet filter events, you need to install the logging package, enable the logging service, and have log actions in your PF rules. The package name is network/firewall/firewall-pflog and the default logging service instance is pflog:default.
The following describes the overall process:
A pflog service instance creates a capture datalink. The datalink is stored as the value of the service property interface.
A packet enters PF and matches a rule with a log action.
PF sends the matched packet to the capture datalink specified by the log action. If no capture datalink is specified, PF uses the default (pflog0) capture datalink.
The pflog service instance that reads the capture datalink uses its filter expression to determine whether to write the packet to the log. The default service instance has no filter expression, so all packets are written to the log.
The log file written by the pflog daemon is in libpcap format. Oracle Solaris provides several tools that can read this format, including tcpdump and tshark. For more information, see the tcpdump(1), tshark(1), and pcap (3PCAP) man pages.
Initially, packet logging uses the pflog:default service instance, which sends packets to the pflog0.pkt log file. You might want to create new service instances for packets that arrive on a particular port, or for packets that need a longer snaplen, or for debugging or other purposes. For the properties that you can specify for a pflog service instance, see the pflogd (8) man page.
To see the initial values of the default pflog service properties, run the following command on a newly-installed system:
% svcprop -g application pflog pflog/delay integer 60 pflog/filter astring "" pflog/interface astring pflog0 pflog/logfile astring /var/log/firewall/pflog/pflog0.pkt pflog/snaplen integer 160
The following examples illustrate typical log file administration tasks. For more examples, see the pflogd (8) man page.Example 4 Creating a New pflog Service Instance
The following command creates a new instance called pflssh1 for logging packets whose source or destination is port 22.
$ pflogd -C pflssh1 port 22
The following command shows the configuration of the instance, including its log file and filter.
$ pflogd -c pflssh1 PF pflogd configuration: - logfile: /var/log/firewall/pflog/pflssh1.pkt - snaplen: 160 - interface: pflssh1 - delay: 60 - filter: port 22
When a packet matches a PF rule that includes the log (to pflssh1) action and port 22, the pflogd daemon adds a log entry to the pflssh1.pkt file from the capture datalink.
For example, packets that match the following rule become entries in the pflssh1.pkt file:
pass in log (to pflssh1) proto tcp to any port 22
Note that packets from a remote host to another remote host's port 22 will be logged.
Similarly, as an example of the second level of filtering, packets from or to port 22 will be logged by this rule:
pass in log (to pflssh1) proto tcp from any to anyExample 5 Specifying a Log File for a pflog Service Instance
In this example, the logs of the new service instance are placed in a directory below the /var/log/firewall/pflog/ directory.
$ pflogd -C debug0 -f /var/log/firewall/pflog/debug/debug0.pktExample 6 Dedicating a PF Log File to One Rule
In this example, the administrator logs only packets that match a given rule to a capture datalink and subsequent log file.
First, the administrator creates the dedicated pflog instance.
$ pflogd -C pflog21
Then, the administrator specifies the capture datalink in the rule.
pass in log (to pflog21) proto tcp from any to any port = 21
The path to the log file is /var/log/firewall/pflog/pflog21.pkt.Example 7 Rotating PF Log Files
The following command archives the current log. After the administrator refreshes the service, the pflog0.pkt log file is empty and ready for new entries.
$ mv /var/log/firewall/pflog/pflog0.pkt /var/log/firewall/pflog/archive1pflog0.pkt $ svcadm refresh pflog:default
The administrator copies the archived files to another system for inspection.
# scp /var/log/firewall/pflog/archive*.pkt email@example.com:/logs/pflogs/
Caution - Do not store packets from different pflog instances in the same log file. And, do not have more than one instance use the same capture datalink simultaneously.