4.2.2 Ensure firewalld loopback traffic is configured

Information

Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Solution

Run the following script to implement the loopback rules:

#!/usr/bin/env bash

{ l_hbfw=""
if systemctl is-enabled firewalld.service | grep -q 'enabled'; then
echo -e "
- FirewallD is in use on the system" && l_hbfw="fwd"
elif systemctl is-enabled nftables.service 2>/dev/null | grep -q 'enabled'; then
echo -e "
- nftables is in use on the system
- Recommendation is NA
- Remediation Complete" && l_hbfw="nft"
fi
if [ "$l_hbfw" = "fwd" ]; then
l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hooks+inputs+/,/}s*(#.*)?$/' | grep -P -- 'iph+saddr')"
if ! nft list ruleset | awk '/hooks+inputs+/,/}s*(#.*)?$/' | grep -Pq -- 'H+h+"lo"h+accept'; then
echo -e "
- Enabling input to accept for loopback address"
firewall-cmd --permanent --zone=trusted --add-interface=lo
firewall-cmd --reload
else
echo -e "
- firewalld input correctly set to accept for loopback address"
if ! grep -Pq -- 'iph+saddrh+127.0.0.0/8h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< "$l_ipsaddr" &amp;&amp; ! grep -Pq -- 'iph+daddrh+!=h+127.0.0.1h+iph+saddrh+127.0.0.1h+drop' <<< "$l_ipsaddr"; then
echo -e "
- Setting IPv4 network traffic from loopback address to drop"
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
firewall-cmd --reload
else
echo -e "
- firewalld correctly set IPv4 network traffic from loopback address to drop"
fi
if grep -Pq -- '^h*0h*$' /sys/module/ipv6/parameters/disable; then
l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')"
if ! grep -Pq 'ip6h+saddrh+::1h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< "$l_ip6saddr" &amp;&amp; ! grep -Pq -- 'ip6h+daddrh+!=h+::1h+ip6h+saddrh+::1h+drop' <<< "$l_ip6saddr"; then
echo -e "
- Setting IPv6 network traffic from loopback address to drop"
firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
firewall-cmd --reload
else
echo -e "
- firewalld correctly set IPv6 network traffic from loopback address to drop"
fi
fi
fi
fi
}

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 894ee5b5c0e21de6f192a87a2eb6013d490f3eb11b8fa74cbd68d619890f7335