3.4.2.3 Ensure firewalld drops unnecessary services and ports

Information

Services and ports can be accepted or explicitly rejected or dropped by a zone.

For every zone, you can set a default behavior that handles incoming traffic that is not further specified. Such behavior is defined by setting the target of the zone. There are three options - default, ACCEPT, REJECT, and DROP.

- ACCEPT - you accept all incoming packets except those disabled by a specific rule.
- REJECT - you disable all incoming packets except those that you have allowed in specific rules and the source machine is informed about the rejection.
- DROP - you disable all incoming packets except those that you have allowed in specific rules and no information sent to the source machine.

To reduce the attack surface of a system, all services and ports should be blocked unless required

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If Firewalld is in use on the system:

Run the following command to remove an unnecessary service:

# firewall-cmd --remove-service=<service>

Example:

# firewall-cmd --remove-service=cockpit

Run the following command to remove an unnecessary port:

# firewall-cmd --remove-port=<port-number>/<port-type>

Example:

# firewall-cmd --remove-port=25/tcp

Run the following command to make new settings persistent:

# firewall-cmd --runtime-to-permanent

See Also

https://workbench.cisecurity.org/benchmarks/15287

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 5fc8ff50e22a6200cbbdf85c4635c9318f4f187cac28f53f15326d37ddf5414d