3.5.2.4 Ensure firewall rules exist for all open ports

Information

Any ports that have been opened on non-loopback addresses need firewall rules to govern
traffic.

Rationale:

Without a firewall rule configured for open ports default firewall policy will drop all
packets to these ports.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

For each port identified in the audit which does not have a firewall rule establish a proper
rule for accepting inbound connections:

# iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j
ACCEPT

Notes:

Changing firewall settings while connected over network can result in being locked out of
the system.

Remediation will only affect the active system firewall, be sure to configure the default
policy in your firewall management to apply on boot as well.

The remediation command opens up the port to traffic from all sources. Consult iptables
documentation and set any restrictions in compliance with site policy.

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7b., 800-53|SC-7(12), CSCv7|9.2, CSCv7|9.4

Plugin: Unix

Control ID: c6d89b84bb77a8a1d16934ecc6b8cec164ea7c31c1a404548c8e3b9fbd967a3b