How to configure OpenBSD PF on Solaris
Sasha and the rest of the firewall development have put together a nice overview of the plan for using PF as our firewall, and some of the details on deployment and configuration.
The current list of features not yet implemented:
PF on Solaris is derived from PF found on OpenBSD 5.5 . The list of features missing on Solaris is as follows:
- NAT-64 as described by RFC 6146
- packet queuing (QOS)
- flow stats
- divert sockets
- policy based routing and few other small features
Some details on the packaging changes for PF:
So let’s get started. The PF firewall is delivered by pkg:/network/firewall package. There are two additional packages:
Two packages above will be covered by dedicated blog entries some time later. The firewall package must be installed explicitly. You are welcomed to read NWSEC guide and manual pages:
And some advice on basic configuration for the firewall:
For basic firewall operations (enable/disable, configure) you should stick to the Solaris way, which is svcadm(1M) + pfconf.
The pfctl(1M) command is still useful for advanced operations such as watching firewall kernel module status. The -s (a.k.a. show) switch is your best friend when it comes to troubleshooting. In my opinion the most useful options are as follows:
i(info) displays firewall status (enabled/disabled) and statistics r(rules) shows list of rules loaded in kernel s(states) lists states kept for packets T(tables) shows address tables used to match packets
Please have a read through the full post for more details.