How to configure OpenBSD PF on Solaris

Sasha and the rest of the firewall development have put together a nice overview of the plan for using PF as our firewall, and some of the details on deployment and configuration.

The current list of features not yet implemented:

PF on Solaris is derived from PF found on OpenBSD 5.5 . The list of features missing on Solaris is as follows:

  • PF-sync
  • NAT-64 as described by RFC 6146
  • packet queuing (QOS)
  • flow stats
  • divert sockets
  • policy based routing and few other small features

Some details on the packaging changes for PF:

So let’s get started. The PF firewall is delivered by pkg:/network/firewall package. There are two additional packages:

pkg:/network/firewall/ftp-proxy pkg:/network/firewall/pflog

Two packages above will be covered by dedicated blog entries some time later. The firewall package must be installed explicitly. You are welcomed to read NWSEC guide and manual pages:

pf.conf(4) pfctl(1M)

And some advice on basic configuration for the firewall:

For basic firewall operations (enable/disable, configure) you should stick to the Solaris way, which is svcadm(1M) + pfconf.

The pfctl(1M) command is still useful for advanced operations such as watching firewall kernel module status. The -s (a.k.a. show) switch is your best friend when it comes to troubleshooting. In my opinion the most useful options are as follows:

i(info) displays firewall status (enabled/disabled) and statistics r(rules) shows list of rules loaded in kernel s(states) lists states kept for packets T(tables) shows address tables used to match packets

Please have a read through the full post for more details.