4.2.3 Ensure ufw service is enabled

Information

UncomplicatedFirewall (ufw) is a frontend for iptables. ufw provides a framework for managing netfilter, as well as a command-line and available graphical user interface for manipulating the firewall.

Note:

- When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before enabling the firewall.
- Run the following command before running ufw enable

# ufw allow proto tcp from any to any port 22
- The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is 'enabled', ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy)
- By default, ufw will prompt when enabling the firewall while running under ssh. This can be disabled by using ufw --force enable

The ufw service must be enabled and running in order for ufw to protect the system

Solution

Run the following command to unmask the ufw daemon:

# systemctl unmask ufw.service

Run the following command to enable and start the ufw daemon:

# systemctl --now enable ufw.service

active

Run the following command to enable ufw:

# ufw enable

Impact:

Changing firewall settings while connected over network can result in being locked out of the system.

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: f3b9ed0cbc7450ad05a5cdd9ed69ba88e68444350ea38fc0cf2e6f62ed03a71d