3.4.1.2 Ensure a single firewall configuration utility is in use

Information

FirewallD - Is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed

NFTables - Includes the nft utility for configuration of the nftables subsystem of the Linux kernel

Note: firewalld with nftables backend does not support passing custom nftables rules to firewalld, using the --direct option.

In order to configure firewall rules for nftables, a firewall utility needs to be installed and active of the system. The use of more than one firewall utility may produce unexpected results.

Solution

Run the following script to ensure that a single firewall utility is in use on the system:

#!/usr/bin/env bash

{
l_output="" l_output2="" l_fwd_status="" l_nft_status="" l_fwutil_status=""
# Determine FirewallD utility Status
rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)"
# Determine NFTables utility Status
rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)"
l_fwutil_status="$l_fwd_status:$l_nft_status"
case $l_fwutil_status in
enabled:active:masked:inactive|enabled:active:disabled:inactive)
echo -e "
- FirewallD utility is in use, enabled and active
- NFTables utility is correctly disabled or masked and inactive
- no remediation required" ;;
masked:inactive:enabled:active|disabled:inactive:enabled:active)
echo -e "
- NFTables utility is in use, enabled and active
- FirewallD utility is correctly disabled or masked and inactive
- no remediation required" ;;
enabled:active:enabled:active)
echo -e "
- Both FirewallD and NFTables utilities are enabled and active
- stopping and masking NFTables utility"
systemctl stop nftables && systemctl --now mask nftables ;;
enabled:*:enabled:*)
echo -e "
- Both FirewallD and NFTables utilities are enabled
- remediating"
if [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "active" ] &amp;&amp; [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "inactive" ]; then
echo " - masking NFTables utility"
systemctl stop nftables &amp;&amp; systemctl --now mask nftables
elif [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "active" ] &amp;&amp; [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "inactive" ]; then
echo " - masking FirewallD utility"
systemctl stop firewalld &amp;&amp; systemctl --now mask firewalld
fi ;;
*:active:*:active)
echo -e "
- Both FirewallD and NFTables utilities are active
- remediating"
if [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" = "enabled" ] &amp;&amp; [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" != "enabled" ]; then
echo " - stopping and masking NFTables utility"
systemctl stop nftables &amp;&amp; systemctl --now mask nftables
elif [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" = "enabled" ] &amp;&amp; [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" != "enabled" ]; then
echo " - stopping and masking FirewallD utility"
systemctl stop firewalld &amp;&amp; systemctl --now mask firewalld
fi ;;
:enabled:active)
echo -e "
- NFTables utility is in use, enabled, and active
- FirewallD package is not installed
- no remediation required" ;;
:)
echo -e "
- Neither FirewallD or NFTables is installed.
- remediating
- installing NFTables"
dnf -q install nftables ;;
*:*:)
echo -e "
- NFTables package is not installed on the system
- remediating
- installing NFTables"
dnf -q install nftables ;;
*)
echo -e "
- Unable to determine firewall state" ;;
esac
}

See Also

https://workbench.cisecurity.org/benchmarks/15287

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: c244a3ad9fd99e61f1c2ccea65693518f9bf270f8d9140717a470333c674c746