The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

An XCCDF Rule

Description

<VulnDiscussion>A firewall that relies on a deny all, permit by exception strategy requires all traffic to have explicit permission before traversing an interface on the host. The firewall must incorporate stateful packet filtering and logging. Nonlocal maintenance and diagnostic communications often contain sensitive information and must be protected. The security of these remote accesses can be ensured by sending nonlocal maintenance and diagnostic communications through encrypted channels enforced via firewall configurations. Satisfies: SRG-OS-000074, SRG-OS-000096, SRG-OS-000112, SRG-OS-000113, SRG-OS-000125, SRG-OS-000250, SRG-OS-000393</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216150r986422_rule
Severity: Medium
References: CCI-000197 CCI-000366 CCI-000382 CCI-000877 CCI-001453 CCI-001941 CCI-002890
Updated: 17 days ago

The root role is required.

For Solaris 11, 11.1, 11.2, and 11.3, that use IP Filter, configure and enable the IP Filters policy.

# pfedit /etc/ipf/ipf.conf. 
Add these lines to the file:

# Do not allow all outbound traffic, keep state, and log
block out log all keep state keep frags
# Block and log everything else that comes in
block in log all
block in log from any to 255.255.255.255
block in log from any to 127.0.0.1/32

Enable ipfilter.

# svcadm enable ipfilter

Notify ipfilter to use the new configuration file.

# ipf -Fa -f /etc/ipf/ipf.conf

For Solaris 11.3 or newer, that use Packet Filter, configure and enable the Packet Filter’s policy.
# pfedit /etc/firewall/pf.conf.

Add these lines to the file:

# Block and log all traffic on all interfaces in either direction from
# anywhere to anywhere
block log all

Enable Packet Filter.

# svcadm enable firewall:default
Enable Packet Filter logging daemon.
# svcadm enable firewall/pflog:default

Note: Because the default firewall rules block all network access to the system, ensure that there is still a method to access the system such as SSH or console access prior to activating the firewall rules. Operational requirements may dictate the addition of protocols such as SSH, DNS, NTP, HTTP, and HTTPS to be allowed.

The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

Description

Remediation - Manual Procedure