3.4.1.6 Ensure ufw firewall rules exist for all open ports

Information

Services and ports can be accepted or explicitly rejected.

Note:

- Changing firewall settings while connected over network can result in being locked out of the system
- The remediation command opens up the port to traffic from all sources. Consult ufw documentation and set any restrictions in compliance with site policy

To reduce the attack surface of a system, all services and ports should be blocked unless required.

- Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.
- Without a firewall rule configured for open ports, the default firewall policy will drop all packets to these ports.
- Required ports should have a firewall rule created to allow approved connections in accordance with local site policy.
- Unapproved ports should have an explicit deny rule created.

Solution

For each port identified in the audit which does not have a firewall rule, evaluate the service listening on the port and add a rule for accepting or denying inbound connections in accordance with local site policy:

Examples:

# ufw allow in <port>/<tcp or udp protocol>

# ufw deny in <port>/<tcp or udp protocol>

Note: Examples create rules for from any, to any. More specific rules should be concentered when allowing inbound traffic e.g only traffic from this network.

Example to allow traffic on port 443 using the tcp protocol from the 192.168.1.0 network:

ufw allow from 192.168.1.0/24 to any proto tcp port 443

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 558da02fe4662f47f8e4c904c7239fb2fed92a49c923712353d7a668dcc2a6e4