3.6.1.4 Ensure loopback traffic is configured - allow in v4

Information

Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6).

Rationale:

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Solution

Run the following commands to implement the loopback rules:

# ufw allow in on lo

# ufw allow out from lo

# ufw deny in from 127.0.0.0/8

# ufw deny in from ::1

See Also

https://workbench.cisecurity.org/files/2920

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv7|9.4

Plugin: Unix

Control ID: 25beeb82010b9a017a87811351ed4be6041bdaa39bcc7213d825e8b1494160c9