Skip to content

Configure Firewalld to Trust Loopback Traffic

An XCCDF Rule

Description

Assign loopback interface to the firewalld trusted zone in order to explicitly allow the loopback traffic in the system. To configure firewalld to trust loopback traffic, run the following command:

sudo firewall-cmd --permanent --zone=trusted --add-interface=lo
To ensure firewalld settings are applied in runtime, run the following command:
firewall-cmd --reload

Rationale

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

ID
xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
Severity
Medium
References
Updated



Remediation - Ansible

- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Package is
    Installed
  ansible.builtin.package:
    name: '{{ item }}'
    state: present
  with_items:

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "firewalld" ; then
    dnf install -y "firewalld"
fi