Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command:
firewall-cmd --permanent --add-port=port_number/tcpTo configure firewalld to allow access for pre-defined services, run the following command:
firewall-cmd --permanent --add-service=service_name
In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
disable or restrict unused or unnecessary physical and logical ports/protocols on information
systems.
Operating systems are capable of providing a wide variety of functions and services.
Some of the functions and services provided by default may not be necessary to support
essential organizational operations.
Additionally, it is sometimes convenient to provide multiple services from a single component
(e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by
one component.
To support the requirements and principles of least functionality, the operating system must
support the organizational requirements, providing only essential capabilities and limiting the
use of ports, protocols, and/or services to only those required, authorized, and approved to
conduct official business.
Create a direct firewall rule to protect against DoS attacks with the following command:
$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES
DoS is a condition when a resource is not available for legitimate users. When
this occurs, the organization either cannot accomplish its mission or must
operate at degraded capacity.
This requirement addresses the configuration of
the operating system to mitigate the impact of DoS attacks that have occurred or
are ongoing on system availability. For each system, known and potential DoS
attacks must be identified and solutions for each type implemented. A variety of
technologies exist to limit or, in some cases, eliminate the effects of DoS
attacks (e.g., limiting processes or establishing memory partitions). Employing
increased capacity and bandwidth, combined with service redundancy, may reduce
the susceptibility to some DoS attacks.
Fedora incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of data.
Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.
Firewalld can be configured with many backends, such as nftables.
Nftables is modern kernel module for controling network connections coming into a system. Utilizing the limit statement in "nftables" can help to mitigate DoS attacks.
Configure firewalld to restrict loopback traffic to the lo interface. The loopback traffic must be trusted by assigning the lo interface to the firewalld trusted zone. However, the loopback traffic must be restricted to the loopback interface as an anti-spoofing measure. To configure firewalld to restrict loopback traffic to the lo interface, run the following commands:
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop' sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'To ensure firewalld settings are applied in runtime, run the following command:
firewall-cmd --reload
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
Assign loopback interface to the firewalld trusted zone in order to explicitly allow the loopback traffic in the system. To configure firewalld to trust loopback traffic, run the following command:
sudo firewall-cmd --permanent --zone=trusted --add-interface=loTo ensure firewalld settings are applied in runtime, run the following command:
firewall-cmd --reload
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
To verify the system's access control program is configured to grant or deny system access to specific hosts check to see if "firewalld" is active with the following command:
# systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s agoIf "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:
# firewall-cmd --get-default-zone public # firewall-cmd --list-all --zone=public public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: mdns ssh ports: protocols: masquerade: no forward-ports: icmp-blocks:If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands:
# ls -al /etc/hosts.allow rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow # ls -al /etc/hosts.deny -rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.denyIf "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services. If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.
If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.
The firewalld package can be installed with the following command:
$ sudo dnf install firewalld
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Fedora functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."
firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with
support for network/firewall “zones” to assign a level of trust to a network and its
associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet
bridges and also for IPSet firewall settings. There is a separation of the runtime and
permanent configuration options.
The firewalld package can be removed with the following command:
$ sudo dnf erase firewalld
Running both nftables.service and firewalld.service may lead to conflict and unexpected results.
Firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with
support for network/firewall “zones” to assign a level of trust to a network and its
associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet
bridges and also for IPSet firewall settings. There is a separation of the runtime and
permanent configuration options.
The firewalld service can be disabled with the following command:
$ sudo systemctl mask --now firewalld.service
Running Firewalld along other service with the same functionality may lead to conflict and unexpected results.
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.
Firewall zones define the trust level of network connections or interfaces. Note: Changing firewall settings while connected over network can result in being locked out of the system.
A network interface not assigned to the appropriate zone can allow unexpected or undesired network traffic to be accepted on the interface.
To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be:
DefaultZone=drop
In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
Services and ports can be accepted or explicitly rejected or dropped by a zone. For every zone, a default behavior can be set that handles incoming traffic that is not further specified. Such behavior is defined by setting the target of the zone. The possible options are: - ACCEPT - accepts all incoming packets except those disabled by a specific rule. - REJECT - disables all incoming packets except those that have been allowed in specific rules and the source machine is informed about the rejection. - DROP - disables all incoming packets except those that have been allowed in specific rules and no information sent to the source machine.
To reduce the attack surface of a system, all services and ports should be blocked unless required.