A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

An XCCDF Rule

Description

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.

ID: SV-230504r958672_rule
Version: RHEL-08-040090
Severity: Medium
References: CCI-002314
Updated: about 2 months ago

Remediation Templates

Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands:

     $ sudo firewall-cmd --permanent --new-zone=[custom]

     $ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml
This will provide a clean configuration file to work with that employs a deny-all approach. 

Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name.

Reload the firewall rules to make the new [custom] zone available to load:
     $ sudo firewall-cmd --reload 

Set the default zone to the new [custom] zone:
     $ sudo firewall-cmd --set-default-zone=[custom]

Note: This is a runtime and permanent change.
Add any interfaces to the new [custom] zone:
     $ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33

Reload the firewall rules for changes to take effect:
     $ sudo firewall-cmd --reload

A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Description

Remediation Templates

A Manual Procedure