3.4.2.7 Ensure nftables outbound and established connections are configured

Information

Configure the firewall rules for new outbound, and established connections

If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure nftables in accordance with site policy. The following commands will implement a policy to allow all outbound connections and all established connections:

# nft add rule inet filter input ip protocol tcp ct state established accept

# nft add rule inet filter input ip protocol udp ct state established accept

# nft add rule inet filter input ip protocol icmp ct state established accept

# nft add rule inet filter output ip protocol tcp ct state new,related,established accept

# nft add rule inet filter output ip protocol udp ct state new,related,established accept

# nft add rule inet filter output ip protocol icmp ct state new,related,established accept

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 8c510aabb50be97b76bf56fb2b0cfbb5927db3a4b93b7997022d071980ab370b