3.4.1.5 Ensure firewalld default zone is set

Information

A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources.

- The default zone is the zone that is used for everything that is not explicitly bound/assigned to another zone.
- If no zone assigned to a connection, interface or source, only the default zone is used.
- The default zone is not always listed as being used for an interface or source as it will be used for it either way. This depends on the manager of the interfaces.

Connections handled by NetworkManager are listed as NetworkManager requests to add the zone binding for the interface used by the connection. Also interfaces under control of the network service are listed also because the service requests it.

Note:

-

A firewalld zone configuration file contains the information for a zone.

-

These are the zone description, services, ports, protocols, icmp-blocks, masquerade, forward-ports and rich language rules in an XML file format.

-

The file name has to be zone_name.xml where length of zone_name is currently limited to 17 chars.

-

NetworkManager binds interfaces to zones automatically

Because the default zone is the zone that is used for everything that is not explicitly bound/assigned to another zone, it is important for the default zone to set

Solution

Run the following command to set the default zone:

# firewall-cmd --set-default-zone=<NAME_OF_ZONE>

Example:

# firewall-cmd --set-default-zone=public

See Also

https://workbench.cisecurity.org/files/3796

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: c87314ba2dade7d703edfb46e206b414e1ad43c2b2bc8175f1cc200c4a26da0b