Rules Related To 'ufw'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Verify ufw Active

check_ufw_active

Description

Verify the ufw is enabled on the system with the following command:

# sudo ufw status
If the above command returns the status as "inactive" or any type of error, this is a finding.

Rationale

Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Ubuntu 22.04 LTS functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components.

Install ufw Package

package_ufw_installed

Description

The ufw package can be installed with the following command:

$ sudo dnf install ufw

Rationale

ufw controls the Linux kernel network packet filtering code. ufw allows system operators to set up firewalls and IP masquerading, etc.

Remove ufw Package

package_ufw_removed

Description

The ufw package can be removed with the following command:

$ sudo dnf remove ufw

Rationale

Running iptables.persistent with ufw enabled may lead to conflict and unexpected results.

Verify ufw Enabled

service_ufw_enabled

Description

The ufw service can be enabled with the following command:

$ sudo systemctl enable ufw.service

Rationale

The ufw service must be enabled and running in order for ufw to protect the system

Ensure ufw Default Deny Firewall Policy

set_ufw_default_rule

Description

A default deny policy on connections ensures that any unconfigured network usage will be rejected. Note: Any port or protocol without a explicit allow before the default deny will be blocked.

Rationale

With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to allow acceptable usage than to block unacceptable usage.

Set UFW Loopback Traffic

set_ufw_loopback_traffic

Description

Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network.

Rationale

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Only Allow Authorized Network Services in ufw

ufw_only_required_services

Description

Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command:

$ sudo ufw show raw
Chain OUTPUT (policy ACCEPT)
target prot opt sources destination
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA.

Rationale

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

ufw Must rate-limit network interfaces

ufw_rate_limit

Description

The operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces. Check all the services listening to the ports with the following command:

$ sudo ss -l46ut
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 [::]:ssh [::]:*
For each entry, verify that the ufw is configured to rate limit the service ports with the following command:
$ sudo ufw status
If any port with a state of "LISTEN" is not marked with the "LIMIT" action, run the following command, replacing "service" with the service that needs to be rate limited:
$ sudo ufw limit "service"
Rate-limiting can also be done on an interface. An example of adding a rate-limit on the eth0 interface follows:
$ sudo ufw limit in on eth0

Rationale

This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

Ensure ufw Firewall Rules Exist for All Open Ports

ufw_rules_for_open_ports

Description

Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.

Rationale

Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.

Remove iptables-persistent Package

package_iptables-persistent_removed

Description

The iptables-persistent package can be removed with the following command:

$ sudo dnf remove iptables-persistent

Rationale

Running both ufw and the services included in the iptables-persistent package may lead to conflict.