Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, January 24, 2018

pf (7)


firewall, pf - packet filtering software


The firewall service provides packet filtering capabilities. This service has been introduced to Oracle Solaris as a part of the firewall modernization project. It is derived from PF provided in the OpenBSD 5.5 release.

The pkg:/network/firewall package delivering the firewall service comes with the following group packages:


The following is an excerpt of pf.conf file containing the basic protection ruleset:

# ignore traffic travelling within loopback
set skip on lo0

# block everything unless told otherwise
# and send TCP-RST/ICMP unreachable
# for every packet which gets blocked
block return

# accept incoming SSH connections
pass in proto tcp to any port 22

# allow DHCP do its work - incoming messages
pass in inet proto udp from port 67 to port 68
pass in inet6 proto udp from port 547 to port 546

# packet too big - needed for PMTUD
pass in inet6 proto ipv6-icmp icmp6-type 2

# router advertisement
pass in inet6 proto ipv6-icmp icmp6-type 134

# neighbor solicitation
pass in inet6 proto ipv6-icmp icmp6-type 135

# neighbor advertisement
pass in inet6 proto ipv6-icmp icmp6-type 136

# allow all connections initiated from this machine,
# this includes e.g. DHCP requests
pass out

The firewall service tries to load basic protection ruleset above to the firewall kernel driver whenever the service enters a maintenance state. This typically happens, when the firewall service is presented with syntactically invalid configuration. The basic protection ruleset prevents all inbound sessions from remote hosts except SSH. However, outbound sessions to remote hosts are allowed.

The firewall service is delivered as disabled. The firewall package delivers a default pf.conf configuration file, which offers no protection. When the firewall loads this ruleset, the service enters the degraded state. The degraded state notifies the firewall administrator that the firewall is not configured yet, and no network policy is enforced. For more information, see the pf.conf(7) man page.

When an upgrade from an older PF version is performed, the service's enabled or disabled status and the firewall configuration is left intact.


There are two SMF instances of firewall service:

  • svc:/network/firewall:default

  • svc:/network/firewall:framework

The firewall:default instance is supposed to be managed by a human administrator. The instance loads custom firewall configuration to the PF kernel driver. The location of configuration file (pf.conf) is kept in the firewall/rules property. The firewall:framework instance is supposed to be managed programmatically by Oracle Solaris components such as OpenStack or Docker. There is an optional dependency of firewall:framework on firewall:default.

The firewall:default SMF service supports the start, stop, restart, and refresh methods. The methods are invoked using the svcadm command. For more information, see the svcadm(8) man page.


Flushes the configuration kept by the PF kernel driver and loads a fresh one. The firewall is activated, if it was inactive before. All states are flushed as part of this step


If the firewall is active, it is deactivated and the configuration kept by the PF kernel driver is flushed. All states are flushed as part of this step. Stopping the service when the network is enabled, should only be performed when there is no risk of any network traffic being able to enter the host


Performs a stop and start of the firewall service. Using this method on an active firewall results in a window of exposure where traffic can enter, and/or pass through the firewall without being filtered


Flushes the configuration kept by the PF kernel driver and loads a fresh one. All states are flushed as part of this step

The firewall:framework uses different implementation for start and refresh methods.


Verifies whether the current configuration used by the PF kernel driver is compatible with the firewall:framework. If the current firewall configuration is not compatible due to missing _auto and _static anchors in a PF main ruleset (pfctl -sr does not show them), then the firewall:framework instance is placed to maintenance state. If the PF driver is currently disabled, then it gets enabled and firewall:framework loads a configuration, which is required by OpenStack or Docker. All states are flushed as part of this step


Places firewall:default to offline state. If firewall:default is not running, then the PF module gets disabled too


Same as start method. It checks whether rules loaded to the PF kernel module are suitable for firewall:framework. If the configuration in the PF driver does not provide _static and _auto anchors, then firewall:framework goes to maintenance


Stops the instance and recursively flushes _auto and _static anchors. If default instance is offline, then the states are flushed too


The pfctl ability to alter the PF driver state gets limited, when the firewall:default is in maintenance state or when the firewall:framework is running. For more information, see the pfctl(8) man page.

In these two cases, the operations listed below are disabled:


Loads rules to the PF driver


Flush rules, fingerprints, or tables, are disabled. All other flush operations work


The enable operation on the PF kernel driver. Enables firewall for default instance only


The disable operation on the PF kernel driver. One should use svcadm command to disable firewall:{instance name} instead, when firewall:framework is running

You still can change rules in a non-root ruleset. The example command below works although the firewall:framework is running.

pfctl -a test -f pf-test.conf

The above command loads rules from pf-test.conf file to test anchor (ruleset).

To remove rules from the test anchor, you can use the following command.

pfctl -A test -Fr

The above command will work although the firewall:framework is running, because the command does not alter root (main) ruleset.


The firewall service runs as a transient service. The start method loads firewall rules to the kernel and then exits. When the firewall:default start method fails to load configuration due to a syntax error, then the method loads a basic protection ruleset and tells the smf to put the firewall:default service to maintenance state. In case of the firewall:framework, the smf is ordered to put the instance to maintenance state, if PF firewall:default runs with a configuration, which is not compatible with the firewall:framework. To recover from maintenance state, you should use pfctl -d. The command disables all firewall instances, which happen to be in maintenance state. The command will also disable the PF driver if there is no firewall instance using it. For more information, see the smf(7) man page.


See attributes(7) for descriptions of the following attributes:

Interface Stability

See Also

svcs(1), attributes(7), pf.conf(7), smf(7), svcadm(8)

Securing the Network in Oracle Solaris 11.4


The firewall service is managed by the service management facility under the service identifier:


For more information, see the smf(7) man page.

Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using the svcadm(8) command.

The service's status is queried using the svcs(1) command.