Rules Related To 'firewalld'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Configure the Firewalld Ports

configure_firewalld_ports

Description

Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command:

firewall-cmd --permanent --add-port=port_number/tcp
To configure firewalld to allow access for pre-defined services, run the following command:
firewall-cmd --permanent --add-service=service_name

Rationale

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business.

Configure firewalld To Rate Limit Connections

configure_firewalld_rate_limiting

Description

Create a direct firewall rule to protect against DoS attacks with the following command:

$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j INPUT_ZONES

Rationale

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems

configured_firewalld_default_deny

Description

Amazon Linux 2023 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.

Rationale

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of data.

Ensure firewall rules exist for all open ports

ensure_firewall_rules_for_open_ports

Description

Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.

Rationale

Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.

Configure Firewalld to Use the Nftables Backend

firewalld-backend

Description

Firewalld can be configured with many backends, such as nftables.

Rationale

Nftables is modern kernel module for controling network connections coming into a system. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.

Configure Firewalld to Restrict Loopback Traffic

firewalld_loopback_traffic_restricted

Description

Configure firewalld to restrict loopback traffic to the lo interface. The loopback traffic must be trusted by assigning the lo interface to the firewalld trusted zone. However, the loopback traffic must be restricted to the loopback interface as an anti-spoofing measure. To configure firewalld to restrict loopback traffic to the lo interface, run the following commands:

sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
To ensure firewalld settings are applied in runtime, run the following command:
firewall-cmd --reload

Rationale

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Configure Firewalld to Trust Loopback Traffic

firewalld_loopback_traffic_trusted

Description

Assign loopback interface to the firewalld trusted zone in order to explicitly allow the loopback traffic in the system. To configure firewalld to trust loopback traffic, run the following command:

sudo firewall-cmd --permanent --zone=trusted --add-interface=lo
To ensure firewalld settings are applied in runtime, run the following command:
firewall-cmd --reload

Rationale

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Grant Or Deny System Access To Specific Hosts And Services

network_implement_access_control

Description

To verify the system's access control program is configured to grant or deny system access to specific hosts check to see if "firewalld" is active with the following command:

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago
If "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:
# firewall-cmd --get-default-zone
public

# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: mdns ssh
ports:
protocols:
masquerade: no
forward-ports:
icmp-blocks:
If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands:
# ls -al /etc/hosts.allow
rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow

# ls -al /etc/hosts.deny
-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny
If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services. If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.

Rationale

If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.

Install firewalld Package

package_firewalld_installed

Description

The firewalld package can be installed with the following command:

$ sudo dnf install firewalld

Rationale

"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Amazon Linux 2023 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."

Uninstall firewalld Package

package_firewalld_removed

Description

firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options. The firewalld package can be removed with the following command:

$ sudo dnf remove firewalld

Rationale

Running both nftables.service and firewalld.service may lead to conflict and unexpected results.

Verify firewalld service disabled

service_firewalld_disabled

Description

Firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. There is a separation of the runtime and permanent configuration options. The firewalld service can be disabled with the following command:

$ sudo systemctl mask --now firewalld.service

Rationale

Running Firewalld along other service with the same functionality may lead to conflict and unexpected results.

Verify firewalld Enabled

service_firewalld_enabled

Description

The firewalld service can be enabled with the following command:

$ sudo systemctl enable firewalld.service

Rationale

Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.

Ensure network interfaces are assigned to appropriate zone

set_firewalld_appropriate_zone

Description

Firewall zones define the trust level of network connections or interfaces. Note: Changing firewall settings while connected over network can result in being locked out of the system.

Rationale

A network interface not assigned to the appropriate zone can allow unexpected or undesired network traffic to be accepted on the interface.

Set Default firewalld Zone for Incoming Packets

set_firewalld_default_zone

Description

To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be:

DefaultZone=drop

Rationale

In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.

Ensure Unnecessary Services and Ports Are Not Accepted

unnecessary_firewalld_services_ports_disabled

Description

Services and ports can be accepted or explicitly rejected or dropped by a zone. For every zone, a default behavior can be set that handles incoming traffic that is not further specified. Such behavior is defined by setting the target of the zone. The possible options are: - ACCEPT - accepts all incoming packets except those disabled by a specific rule. - REJECT - disables all incoming packets except those that have been allowed in specific rules and the source machine is informed about the rejection. - DROP - disables all incoming packets except those that have been allowed in specific rules and no information sent to the source machine.

Rationale

To reduce the attack surface of a system, all services and ports should be blocked unless required.