Ensure Unnecessary Services and Ports Are Not Accepted
An XCCDF Rule
Description
Services and ports can be accepted or explicitly rejected or dropped by a zone.
For every zone, a default behavior can be set that handles incoming traffic that
is not further specified. Such behavior is defined by setting the target of the zone.
The possible options are:
- ACCEPT - accepts all incoming packets except those disabled by a specific rule.
- REJECT - disables all incoming packets except those that have been allowed in
specific rules and the source machine is informed about the rejection.
- DROP - disables all incoming packets except those that have been allowed in
specific rules and no information sent to the source machine.
Rationale
To reduce the attack surface of a system, all services and ports should be blocked unless required.
- ID
- xccdf_org.ssgproject.content_rule_unnecessary_firewalld_services_ports_disabled
- Severity
- Medium
- References
- Updated