Ensure nftables Default Deny Firewall Policy

An XCCDF Rule

Details
Profiles
Prose

Description

Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack.

warning alert: Warning

Changing firewall settings while connected over network can result in being locked out of the system.

Rationale

It is easier to allow acceptable usage than to block unacceptable usage.

ID: xccdf_org.ssgproject.content_rule_nftables_ensure_default_deny_policy
Severity: Medium
References: 1.3.1

3.4.3.7
Updated: 8 months ago