firewall, pf - packet filtering software
The Oracle Solaris PF firewall provides packet filtering capabilities for the Oracle Solaris operating system. It is derived from the OpenBSD PF.
The firewall is kept compatible with its upstream parent as much as possible. Some features provided by the OpenBSD PF are not delivered in Oracle Solaris. Those are:
- NAT-64 as defined by RFC 6146 - pfsync for clustered PF deployment - bandwidth management
Three packages deliver the firewall:
Delivers the core firewall functionality such as PF kernel driver, the pfctl(8) control command, and the svc:/network/firewall smf(7) service.
Delivers the FTP proxy daemon. See ftp-proxy(8) for more details.
Delivers the packet filter logging daemon. See pflogd(8) for more details.
The main firewall package pkg:/network/firewall/firewall defines an optional dependency on the pkg:/network/firewall/firewall-ftp-proxy and pkg:/network/firewall/firewall-pflog packages, so by installing the main package will install the complete Oracle Solaris firewall suite.
The main package and its optional dependencies are delivered with the following group packages:
solaris-large-server solaris-small-server solaris-desktop
The firewall is installed as disabled by default. The configuration shipped by the package defines no network policy. Accordingly, all traffic is allowed to and from the host by default.
If the system is being upgraded from S11.3, any existing PF firewall configuration will be preserved. The upgrade process also handles a conversion from any existing legacy IPF firewall to PF. The IPF to PF conversion is handled by the ipf2pf(7) service, which runs during the first boot to an upgraded boot environment.
The firewall is managed by the svc:/network/firewall transient service. This service supports the following svcadm(8) subcommands:
If the service instance is already online, enabling the instance is a no-operation.
If the service instance is disabled, enabling it flushes the existing firewall state, if any, including rules, state tables, filter information, etc., and loads the rules from the configuration file. After the rules are successfully loaded, the firewall service instance is put in an online state.
If the service instance is already disabled, disabling the instance is a no-operation.
If the service instance is in an online state, disabling the service instance causes the existing firewall state information, if any, including rules, state tables, filter information, etc. to be flushed.
This performs a stop and start of the firewall service instance. The restart has same effect as:
# svcadm disable svc:/network/firewall:default # svcadm enable svc:/network/firewall:default
Loads the fresh firewall configuration from the configuration file. Unlike restart, the firewall is kept in an enabled state throughout the whole operation. No existing firewall state is flushed during the process.
The default firewall service instance reads the configuration from /etc/firewall/pf.conf. The administrator may edit the file to customize the firewall configuration. Any changes to the file are preserved during the upgrade process.
Whenever the default firewall instance fails to start due to a misconfiguration (e.g. a syntax error in the configuration file or the configuration file is non-existent), the service instance is put into the maintenance state. In such a case, to ensure at least basic network security, the start method loads the following basic protection ruleset:
# ignore traffic traveling within loopback set skip on lo0 # block everything unless told otherwise and send TCP-RST/ICMP # unreachable for every packet which gets blocked block return # accept incoming SSH connections pass in proto tcp to any port 22 # allow DHCP do its work - incoming messages pass in inet proto udp from port 67 to port 68 pass in inet6 proto udp from port 547 to port 546 # packet too big - needed for PMTUD pass in inet6 proto ipv6-icmp icmp6-type 2 # router advertisement pass in inet6 proto ipv6-icmp icmp6-type 134 # neighbor solicitation pass in inet6 proto ipv6-icmp icmp6-type 135 # neighbor advertisement pass in inet6 proto ipv6-icmp icmp6-type 136 # allow all connections initiated from this machine, this # includes e.g. DHCP requests pass out
If the administrator enables the default firewall service instance with the configuration shipped by the firewall package, the service instance is put into the degraded state because this configuration provides no network protection. The degraded state reminds an administrator to properly configure the firewall.
The recommended way to control the firewall state on the system is to use svcadm(8) as it provides seamless interoperation with the smf(7) infrastructure. However, Oracle Solaris is compatible with OpenBSD, so the pfctl -d and pfctl -e commands also update the firewall service state.
See attributes(7) for descriptions of the following attributes:
svcs(1), attributes(7), pf.conf(7), smf(7), svcadm(8)
Securing the Network in Oracle Solaris 11.4
The firewall service is managed by the service management facility under the service identifier:
For more information, see the smf(7) man page.
Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using the svcadm(8) command.
The service's status is queried using the svcs(1) command.
The PF firewall was added to Oracle Solaris in Solaris 11.3.0. The PF version is derived from the OpenBSD 5.5 release.