3.5.1.7 Ensure ufw default deny firewall policy

Information

A default deny policy on connections ensures that any unconfigured network usage will be rejected.

Note: Any port or protocol without a explicit allow before the default deny will be blocked

Rationale:

With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.

Impact:

Any port and protocol not explicitly allowed will be blocked. The following rules should be considered before applying the default deny.

ufw allow git

ufw allow in http

ufw allow in https

ufw allow out 53

ufw logging on

Solution

Run the following commands to implement a default deny policy:

# ufw default deny incoming

# ufw default deny outgoing

# ufw default deny routed

See Also

https://workbench.cisecurity.org/files/3219

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv7|9.4

Plugin: Unix

Control ID: e5a3a2e8cb0f25fe775231a4748a09d44a8ae3845e74c4abe6b2a329745fe4b1