Detections
Analytics

3.4.1.2 Ensure a single firewall configuration utility is in use

Information

FirewallD - Is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed

NFTables - Includes the nft utility for configuration of the nftables subsystem of the Linux kernel

IPTables Services - Contains the iptables service and the ip6tables service which store their configurations in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables

Note: firewalld with nftables backend does not support passing custom nftables rules to firewalld, using the --direct option.

In order to configure firewall rules, a firewall utility needs to be installed and active of the system. The use of more than one firewall utility may produce unexpected results.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Determine which firewall utility to use in your environment. Ensure it also follows local site policy, and follow the guidance for that option:

OPTION 1 - FirewallD:

Run the following command to uninstall nftables and iptables-services

# yum remove nftables iptables-services

- OR - If the package is required for a dependency and is authorized by local sight policy, run the following commands to stop and mask nftables.service iptables.service and ip6tables.service :

# systemctl stop nftables.service iptables.service ip6tables.service
# systemctl mask nftables.service iptables.service ip6tables.service

Follow the guidance in subsection "Configure firewalld. Skip sections "Configure nftables" and "Configure iptables"

OPTION 2 - NFTables:

Run the following command to uninstall firewalld and iptables-services

# yum remove firewalld iptables-services

- OR - If the package is required for a dependency and is authorized by local sight policy, run the following commands to stop and mask firewalld.service iptables.service and ip6tables.service :

# systemctl stop firewalld.service iptables.service ip6tables.service
# systemctl mask firewalld.service iptables.service ip6tables.service

Follow the guidance in subsection "Configure nftables". Skip sections "Configure firewalld" and "Configure iptables"

OPTION 3 - IPTables:

Run the following command to uninstall nftables and iptables-services

# yum remove firewalld nftables

- OR - If the package is required for a dependency and is authorized by local sight policy, run the following commands to stop and mask firewalld.service and nftables.service :

# systemctl stop firewalld.service nftables.service
# systemctl mask firewalld.service nftables.service

Follow the guidance in subsection "Configure iptables" skip sections "Configure firewalld" and "Configure nftables"

See Also

https://workbench.cisecurity.org/benchmarks/15965

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 8b2b89da8187e085a430d8d8e169f1b991905576d1edfa0403672d95ca26286e