Configure Firewalld to Restrict Loopback Traffic
An XCCDF Rule
Description
Configure firewalld
to restrict loopback traffic to the lo
interface.
The loopback traffic must be trusted by assigning the lo
interface to the
firewalld
trusted
zone. However, the loopback traffic must be restricted
to the loopback interface as an anti-spoofing measure.
To configure firewalld
to restrict loopback traffic to the lo
interface,
run the following commands:
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop' sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'To ensure
firewalld
settings are applied in runtime, run the following command:
firewall-cmd --reload
Rationale
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
- ID
- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "firewalld" ; then
yum install -y "firewalld"
fi
Remediation - Ansible
- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Package
is Installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items: