Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, July 27, 2022
 
 

firewall(7)

Name

firewall, pf - packet filtering software

Description

The Oracle Solaris PF firewall provides packet filtering capabilities for the Oracle Solaris operating system. It is derived from the OpenBSD PF.

The firewall is kept compatible with its upstream parent as much as possible. Some features provided by the OpenBSD PF are not delivered in Oracle Solaris. Those are:

- NAT-64 as defined by RFC 6146
- pfsync for clustered PF deployment
- bandwidth management

INSTALLING

Three packages deliver the firewall:

pkg:/network/firewall/firewall

Delivers the core firewall functionality such as PF kernel driver, the pfctl(8) control command, and the svc:/network/firewall smf(7) service.

pkg:/network/firewall/firewall-ftp-proxy

Delivers the FTP proxy daemon. See ftp-proxy(8) for more details.

pkg:/network/firewall/firewall-pflog

Delivers the packet filter logging daemon. See pflogd(8) for more details.

The main firewall package pkg:/network/firewall/firewall defines an optional dependency on the pkg:/network/firewall/firewall-ftp-proxy and pkg:/network/firewall/firewall-pflog packages, so by installing the main package will install the complete Oracle Solaris firewall suite.

The main package and its optional dependencies are delivered with the following group packages:

solaris-large-server
solaris-small-server
solaris-desktop

The firewall is installed as disabled by default. The configuration shipped by the package defines no network policy. Accordingly, all traffic is allowed to and from the host by default.

If the system is being upgraded from S11.3, any existing PF firewall configuration will be preserved. The upgrade process also handles a conversion from any existing legacy IPF firewall to PF. The IPF to PF conversion is handled by the ipf2pf(7) service, which runs during the first boot to an upgraded boot environment.

SERVICE

The firewall is managed by the svc:/network/firewall transient service. This service supports the following svcadm(8) subcommands:

enable

If the service instance is already online, enabling the instance is a no-operation.

If the service instance is disabled, enabling it flushes the existing firewall state, if any, including rules, state tables, filter information, etc., and loads the rules from the configuration file. After the rules are successfully loaded, the firewall service instance is put in an online state.

disable

If the service instance is already disabled, disabling the instance is a no-operation.

If the service instance is in an online state, disabling the service instance causes the existing firewall state information, if any, including rules, state tables, filter information, etc. to be flushed.

restart

This performs a stop and start of the firewall service instance. The restart has same effect as:

# svcadm disable svc:/network/firewall:default
# svcadm enable svc:/network/firewall:default
refresh

Loads the fresh firewall configuration from the configuration file. Unlike restart, the firewall is kept in an enabled state throughout the whole operation. No existing firewall state is flushed during the process.

The default firewall service instance reads the configuration from /etc/firewall/pf.conf. The administrator may edit the file to customize the firewall configuration. Any changes to the file are preserved during the upgrade process.

Whenever the default firewall instance fails to start due to a misconfiguration (e.g. a syntax error in the configuration file or the configuration file is non-existent), the service instance is put into the maintenance state. In such a case, to ensure at least basic network security, the start method loads the following basic protection ruleset:

# ignore traffic traveling within loopback
set skip on lo0

# block everything unless told otherwise and send TCP-RST/ICMP
# unreachable for every packet which gets blocked
block return

# accept incoming SSH connections
pass in proto tcp to any port 22

# allow DHCP do its work - incoming messages
pass in inet proto udp from port 67 to port 68
pass in inet6 proto udp from port 547 to port 546

# packet too big - needed for PMTUD
pass in inet6 proto ipv6-icmp icmp6-type 2

# router advertisement
pass in inet6 proto ipv6-icmp icmp6-type 134

# neighbor solicitation
pass in inet6 proto ipv6-icmp icmp6-type 135

# neighbor advertisement
pass in inet6 proto ipv6-icmp icmp6-type 136

# allow all connections initiated from this machine, this
# includes e.g. DHCP requests
pass out

If the administrator enables the default firewall service instance with the configuration shipped by the firewall package, the service instance is put into the degraded state because this configuration provides no network protection. The degraded state reminds an administrator to properly configure the firewall.

PFCTL ON ORACLE SOLARIS

The recommended way to control the firewall state on the system is to use svcadm(8) as it provides seamless interoperation with the smf(7) infrastructure. However, Oracle Solaris is compatible with OpenBSD, so the pfctl -d and pfctl -e commands also update the firewall service state.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Interface Stability
Committed

See Also

svcs(1), attributes(7), pf.conf(7), smf(7), svcadm(8)

Securing the Network in Oracle Solaris 11.4

Notes

The firewall service is managed by the service management facility under the service identifier:

svc:/network/firewall:default
svc:/network/firewall:framework

For more information, see the smf(7) man page.

Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using the svcadm(8) command.

The service's status is queried using the svcs(1) command.

History

The PF firewall was added to Oracle Solaris in Solaris 11.3.0. The PF version is derived from the OpenBSD 5.5 release.