Skip to content

Configure firewalld To Rate Limit Connections

An XCCDF Rule

Description

Create a direct firewall rule to protect against DoS attacks with the following command:

$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j INPUT_ZONES

Rationale

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.

ID
xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting
Severity
Medium
References
Updated



Remediation - Ansible

- name: Configure rate limiting direct rule for firewalld
  command: firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0
    -p tcp -m limit --limit 25/minute --limit-burst 100  -j INPUT_ZONES
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-07-040510

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

common_firewalld_ratelimit_args=(--direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j INPUT_ZONES)
if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
    firewall-offline-cmd "${common_firewalld_ratelimit_args[@]}"