4.3.2 Ensure nftables established connections are configured

Information

Configure the firewall rules for new outbound and established connections

Note: - IF - Firewalld is in use, this recommendation can be skipped.

If rules are not in place for established connections, all packets will be dropped by the default policy preventing network usage.

Solution

- IF - NFTables utility is in use on your system:

Configure nftables in accordance with site policy. The following commands will implement a policy to allow all established connections:

# systemctl is-enabled nftables.service | grep -q 'enabled' && nft add rule inet filter input ip protocol tcp ct state established accept
# systemctl is-enabled nftables.service | grep -q 'enabled' && nft add rule inet filter input ip protocol udp ct state established accept
# systemctl is-enabled nftables.service | grep -q 'enabled' && nft add rule inet filter input ip protocol icmp ct state established accept

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: d486e5a64739bb0a3c9cd525005fe4268735e67083647ad04a1297fc8ee42dd9